Exploit for Solar-Log 200 PM+ 3.6.0 Cross Site Scripting CVE-2023-46344

Name: Exploit for Solar-Log 200 PM+ 3.6.0 Cross Site Scripting CVE-2023-46344
Rating: 5 (256 reviews)

2024-03-05 | CVSS 4.9

## https://sploitus.com/exploit?id=PACKETSTORM:177438
# Exploit Title: Stored XSS in Solar-Log 200 3.6.0 web panel  
# Date: 10-30-23  
# Exploit Author: Vincent McRae, Mesut Cetin - Redteamer IT Security  
# Vendor Homepage: https://www.solar-log.com/en/  
# Version: Solar-Log 200 PM+ 3.6.0 Build 99 - 15.10.2019  
# Tested on: Proprietary devices: https://www.solar-log.com/en/support/firmware/  
# CVE: CVE-2023-46344  
  
# POC:  
  
1. Go to solar panel  
2. Go to configuration -> Smart Energy -> "drag & drop" button.  
3. Change "name" to: <xss onmouseenter="alert(document.cookie)"  
style=display:block>test</xss>  
4. Once you hover over "test", you get XSS -> if a higher privileged  
user hovers over it, we can get their cookies.