Vanguard 2.1 Cross Site Scripting

Vanguard version 2.1 suffers from multiple cross site scripting vulnerabilities.

MD5 | affaaefc0f4549a9c786b4ba2a2a814c

# Exploit Title: Vanguard 2.1  Multi XSS Vunlerabilities
# Google Dork:N/A
# Date: 2020-04-04
# Exploit Author: @ThelastVvV
# Vendor Homepage:
# Version: 2.1
# Tested on: 5.4.0-4parrot1-amd64



Persistent Cross-site Scripting in message&product title-tags also there's Non-Persistent Cross-site scripting in product search box.

PoC 1:

A- Message

1- create an account on vanguard marketplace
2- go to send mail

In the "Object" field type my my preferred payload : "><img src=x onerror=prompt(document.domain);>

3-then choose the target (username ) then hit submit
4- now go to the mailbox and click on the msg

et voila xssed!

PoC 2:


1-go to add new product
2- In the "Product Name" field type my my preferred payload : "><img src=x onerror=prompt(document.domain);>
2- now view the product page
3 -click on download in the product page

et voila xssed!

PoC 3:

In Products Search box use payload:
"><img src=x onerror=prompt(document.domain);>

XSS can lead to user's Session Hijacking, and if used in conjunction with a social engineering attack it can also lead to disclosure of sensitive data, CSRF attacks and other critical attacks on all users of the product .


A -

Related Posts