A cross-site scripting (XSS) issue in the SEO admin login panel version 4.8.0 allows remote attackers to inject JavaScript via the "redirect" parameter.
Impact
With the help of xss attacker can perform social engineering on users by redirecting them from real website to fake one. Attacker can steal their cookies leading to account takeover and download a malware on their system, and there are many more attacking scenarios a skilled attacker can perform with xss.
The text was updated successfully, but these errors were encountered:
xoffense
changed the title
XSS Vulnerability in "category: parameter
XSS Vulnerability in "category" parameter
Mar 11, 2021
Sorry for the late reply. We will release a new version this month itself
and will add fixes for the issues reported by you.
Thanks again for your great support for the seo panel project.
Regards,
Geo Varghese <http://www.seofreetools.net>
Hi team,
I would like to report XSS vulnerability.
Description
A cross-site scripting (XSS) issue in the SEO admin login panel version 4.8.0 allows remote attackers to inject JavaScript via the "redirect" parameter.
XSS Payload: x%22%20onmouseover%3dalert(document.cookie)%20x%3d%22
Vulnerable parameter: category
Steps to Reproduce the Issue:
1- Login to SEO admin panel
2- Add below line at the end:
settings.php?category=x%22%20onmouseover%3dalert(document.cookie)%20x%3d%22
3- Hover your mouse to "Cancel" field
As you can see, XSS is triggered and can send cookies to attacker.
Video POC: https://drive.google.com/file/d/1af8sZTkoKpaetj0Sh0T9ON4HhUDhN6_1/view?usp=sharing
Impact
With the help of xss attacker can perform social engineering on users by redirecting them from real website to fake one. Attacker can steal their cookies leading to account takeover and download a malware on their system, and there are many more attacking scenarios a skilled attacker can perform with xss.
The text was updated successfully, but these errors were encountered: