Auditor Website 2.0.1 - Cross-Site Scripting

EDB-ID: 45125 Author: Vikas Chaudhary Published: 2018-08-02
CVE: CVE-2018-13256 Type: Webapps Platform: PHP
Aliases: N/A Advisory/Source: N/A Tags: Cross-Site Scripting (XSS)
E-DB Verified: Waiting verification Exploit: Download Exploit Code Download / View Raw Vulnerable App: N/A
*******************************************************************************************
# Exploit Title:  Chartered Accountant : Auditor Website  2.0.1 - Reflected , Stored XSS
# Date: 26.06.2018
# Site Titel : Find your needs on Domain Name 
# Vendor Homepage:  https://www.phpscriptsmall.com/
# Software Link:  https://www.phpscriptsmall.com/product/cms-auditor-website/
# Category: Web Application
# Version: 2.0.1
# Exploit Author: Vikas Chaudhary
# Contact: https://www.facebook.com/profile.php?id=100011287630308
# Web:  https://gkaim.com/
# Tested on: Windows 10 -Firefox
# CVE:  CVE-2018-13256

*****************************************************************************************
 
Proof of Concept:-
--------------------------
1. Go  to the  site ( http://server/auditor/ ) .
2- Select REGISTER page  (Register now) .
3- Create an account using your Email address  => in FIRST NAME , LAST NAME  ,and PASSWORD put this script    <img src =x onError=alert("VIKAS")> 
4-  Now Check your Email and verify it .
5- Again come to site and login it using your verified Email and Password .
6- You will having popup VIKAS in you account when you loged in .

***************************************************************************************


Related Exploits

Trying to match CVEs (1): CVE-2018-13256
Other Possible E-DB Search Terms: Auditor Website 2.0.1,  Auditor Website
Date D V Title Author
2017-12-08 Waiting verification CMS Auditor Website 1.0 - SQL InjectionIhsan Sencan