ଜମା କରନ୍ତୁ #181817: Wedding Wonders 1.0 - Stored XSSସୂଚନା

ଶୀର୍ଷକ	Wedding Wonders 1.0 - Stored XSS
ବର୍ଣ୍ଣନା	# Exploit Title: Wedding Wonders 1.0 - Stored XSS # Exploit Author: skalvin aka (CraCkEr) # Date: 13/07/2023 # Vendor: Bug Finder # Vendor Homepage: https://bugfinder.net/ # Software Link: https://bugfinder.net/product/wedding-wonders-a-matrimonial-and-matchmaking-platform/17 # Tested on: Windows 10 Pro # Impact: Manipulate the content of the site ## Description Allow Attacker to inject malicious code into website, give ability to steal sensitive information, manipulate data, and launch additional attacks. Path: /weeding-wonders/user/ticket/create POST parameter 'message' is vulnerable to XSS ----------------------------------------------------------- POST /weeding-wonders/user/ticket/create HTTP/2 Content-Disposition: form-data; name="subject" Anything ----------------------------------------------------------- Content-Disposition: form-data; name="message" <script>alert(1)</script> ----------------------------------------------------------- ## Steps to Reproduce: 1. Login as a (Normal User) 2. Go to [My Profile] on this Path: https://website/weeding-wonders/user/profile 3. Click on [Support Ticket] on this Path: https://website/weeding-wonders/user/ticket 4. Click on [Create Ticket] 5. Enter Any Subject 6. Inject your XSS Payload in [Message Box] 7. Click on [Submit] 8. When ADMIN visit [SUPPORT TICKETS] on this Path: https://website/weeding-wonders/admin/tickets and Open the [New Pending Ticket] 9. XSS Will Fire and Executed on his Browser [-] Done
ଉପଭୋକ୍ତା	skalvin (UID 49463)
ଦାଖଲ	07/12/2023 11:54 PM (3 ବର୍ଷ ବର୍ଷ ago)
ମଧ୍ୟମ ଧରଣର	07/21/2023 10:41 PM (9 days later)
ସ୍ଥିତି	ଗ୍ରହଣ କରାଯାଇଛି
VulDB ଏଣ୍ଟ୍ରି	235158 [Bug Finder Wedding Wonders 1.0 Ticket /user/ticket/create ବାର୍ତ୍ତା କ୍ରସ୍ ସାଇଟ୍ ସ୍କ୍ରିପ୍ଟିଂ]
ପଏଣ୍ଟ	17

◂ ପଛକୁ ସମୀକ୍ଷା ଆହୁରି ଦୂରରେ ▸

Might our Artificial Intelligence support you?

Check our Alexa App!