Exploit for Paymoney 3.3 Cross Site Scripting

## https://sploitus.com/exploit?id=PACKETSTORM:167687
## Title: paymoney-3.3 XSS-Reflected  
## Author: nu11secur1ty  
## Date: 07.02.2022  
## Vendor: https://paymoney.techvill.org/  
## Software: paymoney-3.3  
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/paymoney/2022/paymoney-3.3  
  
Description:  
The parameters first_name and last_name in Users are vulnerable from  
XSS-Reflected on Paymoney-3.3. The already authenticated users can be  
hijacking the XSRF-Token and they can use it for malicious purposes on  
internal and external domains.  
  
STATUS: Medium  
  
## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/paymoney/2022/paymoney-3.3)  
  
## Proof and Exploit:  
[href](https://streamable.com/fhzvyr)