Paymoney 3.3 Cross Site Scripting

Paymoney version 3.3 suffers from a cross site scripting vulnerability.


SHA-256 | 5cc7c6a3d00e691e2a81d9cf0db8ad5e6b88fc993d898fd9d54b3c0511bcc5e3

## Title: paymoney-3.3 XSS-Reflected
## Author: nu11secur1ty
## Date: 07.02.2022
## Vendor: https://paymoney.techvill.org/
## Software: paymoney-3.3
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/paymoney/2022/paymoney-3.3

Description:
The parameters first_name and last_name in Users are vulnerable from
XSS-Reflected on Paymoney-3.3. The already authenticated users can be
hijacking the XSRF-Token and they can use it for malicious purposes on
internal and external domains.

STATUS: Medium

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/paymoney/2022/paymoney-3.3)

## Proof and Exploit:
[href](https://streamable.com/fhzvyr)



Related Posts