Crea8Social v.2.0 XSS Change Interface

vendor:

Crea8Social

by:

r0seMary

7.5

CVSS

HIGH

Cross-Site Scripting (XSS)

CWE

Product Name: Crea8Social

Affected Version From: v.2.0

Affected Version To: v.2.0

Patch Exists: NO

Related CWE: N/A

CPE: a:crea8social:crea8social:2.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows 7

2015

Crea8Social v.2.0 XSS Change Interface

A user can inject malicious JavaScript code into the Game Content field when adding a game, which will be executed when the page is loaded. This can be used to change the user interface of the page.

Mitigation:

Input validation should be used to prevent malicious code from being injected into the Game Content field.

Source

Exploit-DB raw data:

# Exploit Title: Crea8Social v.2.0 XSS Change Interface
# Google Dork: intext:Copyright © 2014 CreA8social.
# Date: January 3, 2015
# Exploit Author: r0seMary
# Vendor Homepage: http://crea8social.com
# Software Link: http://codecanyon.net/item/crea8social-php-social-networking-platform-v20/9211270 or http://crea8social.com
# Version: v.2.0 (Latest version)
# Tested on: Windows 7
# CVE : -
================================================================================
Bismillahirahmanirahim
Assalamualaikum Wr.Wb

--[Fatal Xss Vulnerability]--
1. Register on the site
2. Go to Menu, Click Game
3. Add Game
4. At Game Content, enter your xss code. for example:
<script>document.body.innerHTML="your text here"</script><noscript>

look at the result, the user interface change into your xss code ;)

Proof of Concept:
http://104.131.164.9/demo/games/124 (Crea8Social Official Site)

./r0seMary
Wassalamualaikum.wr.wb