Car Rental System 2.6 Cross Site Scripting ↭ – Digitalmunition




Exploit/Advisories no-image-featured-image.png

Published on April 7th, 2020 📆 | 2576 Views ⚑

0

Car Rental System 2.6 Cross Site Scripting ↭

# Exploit Title: Car Rental System 2.6 XSS Vunlerability
# Google Dork:N/A
# Date: 2020-04-04
# Exploit Author: @ThelastVvV
# Vendor Homepage: https://codecanyon.net/item/car-rental-system/2734072?s_rank=5
# Version: 2.6
# Tested on: 5.4.0-kali4-amd64

———————————————————

Summary:

Persistent Cross-site Scripting in Customer registration-form all-tags

PoC 1:

1- Go to the car renting page then choose new customor
http://example/car-rental/

2- In “any ” field of registration form type your payload :
“>

3-then hit CONTINUE

4- Once the admin logs into the admin home page … the admin will be xssed

http://example/car-rental/cp/admin-home.php

Impact:
XSS can lead to adminstators/users’s Session Hijacking, and if used in conjunction with a social engineering attack it can also lead to disclosure of sensitive data, CSRF attacks and other critical attacks on administrators directly.

Screentshoots:
https://i.imgur.com/ybUZwEL.png

Source link

Tagged with:



Leave a Reply

Your email address will not be published. Required fields are marked *


loading...