CVE-2018-9237 ================ Exploit Details 1. Exploit Title: iScripts EasyCreate 3.2.1 has Stored Cross-Site Scripting in the "Site Description" field. 2. Date: 02/04/2018 3. Exploit Author: ManhNho 4. Contact: https://facebook.com/aviciicloud 5. Vendor Homepage: https://www.iscripts.com 6. Demo Page: https://www.demo.iscripts.com/easycreate/demo/ 7. Version: 3.2.1 8. Tested on: Windows 10 9. Category: Webapps 10. CVE: CVE-2018-9237 Description iScripts Easycreate 3.2.1 is affected by a XSS vulnerability. PoC 1. From "user section", access to "dashboard" and select "Created from saved items" with edit option. 2. In "edit site" action: - Inject to "Site Description" field. 3. Save and change, refresh and we have alert pop up!