Full Disclosure mailing list archives
[CVE-2018-18845] Cross Site Scripting in Advanced comment system v1.0
From: Rafael Pedrero <rafael.pedrero () gmail com>
Date: Tue, 19 Feb 2019 15:51:31 +0100
I thought I had reported it but not, better late than never. <!-- # Exploit Title: Cross Site Scripting in Advanced comment system v1.0 # Date: 29-10-2018 # Exploit Author: Rafael Pedrero # Vendor Homepage: http://www.plohni.com # Software Link: http://www.plohni.com/wb/content/php/download/Advanced_comment_system_1-0.zip, https://web.archive.org/web/20120214173003/http://www.plohni.com/wb/content/php/download/Advanced_comment_system_1-0.zip # Version: Advanced comment system v1.0 # Tested on: All # CVE : CVE-2018-18845 # Category: webapps 1. Description Advanced Comment System, version 1.0, the page internal/advanced_comment_system/index.php contains a reflected cross-site scripting vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to supply malicious HTML or JavaScript code to a vulnerable web application, which is then reflected back to the victim and executed by the web browser. The product is discontinued. 2. Proof of Concept http://localhost/advanced_comment_system/index.php/ACS_path=/%F6%22%20onmouseover=prompt%28998163%29%20// or http://localhost/advanced_comment_system/index.php/%F6%22%20onmouseover=prompt%28998163%29%20// 3. Solution: The product is discontinued. --> _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- [CVE-2018-18845] Cross Site Scripting in Advanced comment system v1.0 Rafael Pedrero (Feb 21)