A cross-site scripting (XSS) issue in the SEO admin login panel version 4.8.0 allows remote attackers to inject JavaScript via the "redirect" parameter.
1- Login to SEO admin panel
2- Add below line at the end:
archive.php?from_time=2021-03-08&order_col=name&order_val=DESC&report_type=website-search-reports&search_name=x%22%20onmouseover%3dalert(document.cookie)%20x%3d%22&sec=viewWebsiteSearchSummary&to_time=2021-03-09&website_id=http%3a%2f%2fwww.example.com
3- Hover your mouse near to "CTR" field
As you can see, XSS is triggered and can send cookies to attacker.
Impact
With the help of xss attacker can perform social engineering on users by redirecting them from real website to fake one. Attacker can steal their cookies leading to account takeover and download a malware on their system, and there are many more attacking scenarios a skilled attacker can perform with xss.
The text was updated successfully, but these errors were encountered:
Hi team,
I would like to report XSS vulnerability.
Description
A cross-site scripting (XSS) issue in the SEO admin login panel version 4.8.0 allows remote attackers to inject JavaScript via the "redirect" parameter.
XSS Payload: x%22%20onmouseover%3dalert(document.cookie)%20x%3d%22
Vulnerable parameter: search_name
Steps to Reproduce the Issue:
1- Login to SEO admin panel
2- Add below line at the end:
archive.php?from_time=2021-03-08&order_col=name&order_val=DESC&report_type=website-search-reports&search_name=x%22%20onmouseover%3dalert(document.cookie)%20x%3d%22&sec=viewWebsiteSearchSummary&to_time=2021-03-09&website_id=http%3a%2f%2fwww.example.com
3- Hover your mouse near to "CTR" field
As you can see, XSS is triggered and can send cookies to attacker.
Video POC: https://drive.google.com/file/d/1qRnOyVoUhmaZnDcNMwi4U5RiLwoukq3b/view?usp=sharing
Impact
With the help of xss attacker can perform social engineering on users by redirecting them from real website to fake one. Attacker can steal their cookies leading to account takeover and download a malware on their system, and there are many more attacking scenarios a skilled attacker can perform with xss.
The text was updated successfully, but these errors were encountered: