Friday, 14 July 2023

Full Disclosure - WBCE 1.6.1

Application

  • WBCE v1.6.1 

Information 

  • Input not validated 
  • Stored Cross Site Scripting flaw 

Exploit 


Steps to Exploit: 

1. Login to application 
2. Browse to following URI "http://host/wbce/admin/pages/intro.php" 
3. Paste XSS payload "TEST"><img src=x onerror=alert(1)>
4. Then browse to settings Settings->General Settings->Enable Intro Page->Enabled
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Friday Fun Pentest Series - 42 - Current Password not Required when Changing Password - flatpressv1.4.1

Description - It was noted that the application did not require the current password for the password change functionality Current Password ...