Headline
Paymoney 3.3 Cross Site Scripting
Paymoney version 3.3 suffers from a cross site scripting vulnerability.
## Title: paymoney-3.3 XSS-Reflected## Author: nu11secur1ty## Date: 07.02.2022## Vendor: https://paymoney.techvill.org/## Software: paymoney-3.3## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/paymoney/2022/paymoney-3.3Description:The parameters first_name and last_name in Users are vulnerable fromXSS-Reflected on Paymoney-3.3. The already authenticated users can behijacking the XSRF-Token and they can use it for malicious purposes oninternal and external domains.STATUS: Medium## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/paymoney/2022/paymoney-3.3)## Proof and Exploit:[href](https://streamable.com/fhzvyr)