Joomla! Component Easydiscuss < 4.0.21 - Cross-Site Scripting

EDB-ID: 43488
Author: Mattia Furlani
Published: 2018-01-10
CVE: CVE-2018-5263
Type: Webapps
Platform: PHP
Vulnerable App: N/A

 # Date: 06-01-2018 
# Software Link:
# Exploit Author: Mattia Furlani
# CVE: CVE-2018-5263
# Category: webapps

1. Description

Whenever a user edits a message with <\textarea> inside the body, everything after the <\textarea> will be executed in the user’s browser. Works with every version up to 4.0.20

2. Proof of Concept

Login with permissions to post a message, insert <\textarea> in the body and add any html code after that, whenever a user tries to edit that message the code writed after you closed the textarea will be executed

3. Solution:

Update to version 4.0.21

Related Posts