CVE-2023-49974 PoC — Customer Support System 跨站脚本漏洞

Source

Associated Vulnerability

Description

Customer Support System 1.0 - Cross-Site Scripting (XSS) Vulnerability in "contact" field/parameter on "customer_list" Page

Readme

# CVE-2023-49974
# Customer Support System 1.0 - Cross-Site Scripting (XSS) Vulnerability in "contact" field/parameter on "customer_list" Page

**Description**: Customer Support System 1.0 is vulnerable to stored XSS. A XSS vulnerability exists in version 1 of the Customer Support System. A malicious actor can insert JavaScript code through the "contact" field/parameter when editing/creating a customer. The code is executed whenever the page "/customer_support/index.php?page=customer_list" is visited.  

**Vulnerable Product Version**: Customer Support System 1.0  
**CVE Author**: Geraldo Alcântara  
**Date**: 28/11/2023  
**Confirmed on**: 19/12/2023  
**CVE**: CVE-2023-49974  
**Tested on**: Windows  
### Steps to reproduce:  
1. Log in to the application.  
2. Navigate to "/customer_support/index.php?page=customer_list" to edit an existing customer or "/customer_support/index.php?page=new_customer" to create a new customer.
3. Create or edit a customer and insert the malicious payload into the "contact" field/parameter.  
4. Payload:
```
</dt></b><script>alert(document.domain)</script>
```     

Discoverer(s)/Credits:  
Geraldo Alcântara

File Snapshot

 [4.0K]  /data/pocs/811db81f0eae1e2e731e7a079fcbd539a0a8539e
└── [1.1K]  README.md

0 directories, 1 file

Remarks