Polaris Web 1.21.1 - Reflected XSS

2023.07.27
ru Mahdi eidi (RU) ru
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Exploit Title: Polaris Web 1.21.1 - Reflected XSS # Exploit Author: mahdi eidi # Date: 2023-07-09 # Vendor: Siap+Micros S.p.A. # Technology: PHP # Vendor Homepage: https://www.siapmicros.com/en/application/ # Tested on: kali linux # Impact: Manipulate the content java script of the site ## Description An attacker can inject his own malicious JavaScript code into vulnerable parameters and can also perform various actions, such as stealing the victim's session token or other users' login credentials. # Technical Details & POC 1- login in web site 2- fine parameter inject RXSS[destination,format,daily_day,sort...] 3- payload '"><img/src/onerror=alert(1)>' 4- sampel path [https://exampel.com/polaris/custom-synoptic?format= RXSS Payload Inject] 5- GET send Request 6- Bom! alert payload


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top