Steps to reproduce the vulnerability(POC):
1- Goto 4images admin panel page (demo instance:https://localhost/4images/admin/index.php)
2- Enter the credentials , Turn on the intercept and click on "Login"
3- copy paste the XSS payload after redirect=./../admin/index.php%3Fsessionid=xxxxxPASTEPAYLOADHERE
4-Forward the request and you can see XSS is triggered.
Impact:
With the help of xss attacker can perform social engineering on users by redirecting them from a real website to a fake ones. Attacker can steal their cookies leading to account takeover and download malware on their system, and there are many more attacking scenarios a skilled attacker can perform with XSS.
The text was updated successfully, but these errors were encountered:
Steps to reproduce the vulnerability(POC): 1- Goto 4images admin panel page (demo instance:https://localhost/4images/admin/index.php) 2- Enter the credentials , Turn on the intercept and click on "Login" 3- copy paste the XSS payload after redirect=./../admin/index.php%3Fsessionid=xxxxxPASTEPAYLOADHERE 4-Forward the request and you can see XSS is triggered.
Impact: With the help of xss attacker can perform social engineering on users by redirecting them from a real website to a fake ones. Attacker can steal their cookies leading to account takeover and download malware on their system, and there are many more attacking scenarios a skilled attacker can perform with XSS.
Vulnerable parameter: redirect
XSS sample Payload: '"()%26%25<ScRiPt%20>alert(document.cookie)</ScRiPt>
Steps to reproduce the vulnerability(POC):
1- Goto 4images admin panel page (demo instance:https://localhost/4images/admin/index.php)
2- Enter the credentials , Turn on the intercept and click on "Login"
3- copy paste the XSS payload after
redirect=./../admin/index.php%3Fsessionid=xxxxxPASTEPAYLOADHERE4-Forward the request and you can see XSS is triggered.
Video POC: https://drive.google.com/file/d/12T39ZCqpbdz29gKptIdPnNHy1Nudr9Cs/view?usp=sharing
Impact:
With the help of xss attacker can perform social engineering on users by redirecting them from a real website to a fake ones. Attacker can steal their cookies leading to account takeover and download malware on their system, and there are many more attacking scenarios a skilled attacker can perform with XSS.
The text was updated successfully, but these errors were encountered: