Friday, 14 July 2023

Full Disclosure - WBCE 1.6.1

Application

  • WBCE v1.6.1 

Information 

  • Input not validated 
  • Stored Cross Site Scripting flaw 

Exploit 


Steps to Exploit: 

1. Login to application 
2. Browse to following URI "http://host/wbce/admin/pages/intro.php" 
3. Paste XSS payload "TEST"><img src=x onerror=alert(1)>
4. Then browse to settings Settings->General Settings->Enable Intro Page->Enabled
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Friday Fun Pentest Series - 46 - Stored Cross-Site Scripting (XSS) via SVG File Upload - totaljsv5013

Description - It was noted that the applications file upload functionality was vulnerable to Stored Cross-Site Scripting (XSS) via an SVG im...