CVE-2023-37191 PoC — Issabel PBX 跨站脚本漏洞

Source

Associated Vulnerability

Readme

## Issabel-pbx 4.0.0-6 - Stored Cross Site Scripting ###

**Description:**
A stored cross-site scripting (XSS) vulnerability in Issabel issabel-pbx v.4.0.0-6 allows attackers to execute arbitrary code i.e. JavaScripts or HTML code via a crafted payload injected into the Group and Description parameters.

**Vulnerable Product Version:**
issabel-pbx 4.0.0-6

**Date:**
07/07/2023

**CVE:** 
CVE-2023-37191

**CVE Author:**
Sahil Ojha

**Vendor Homepage:**
https://www.issabel.org/

**Software Link:** 
https://github.com/IssabelFoundation/issabelPBX

**Tested on:** 
Windows


**Steps to reproduce:**
1. Go to issabel PBX application and login with admin credentials.
 
2.	Navigate to “System --> Users --> Groups”. Input the following payload ”><script>alert(1)</script> in the Group and Description input field as shown in figure below.

  ![HTML Render](https://github.com/sahiloj/CVE-2023-37191/blob/main/1.png)
  --              

3.	Click on the save button and the payload will be executed successfully. Whenever the webpage is visited by any user the script executes in the victim’s browser. This can lead to session cookies hijacking, Permanent redirection to attacker's controlled domain or applicaiton deface and many more.
 
 ![HTML Render](https://github.com/sahiloj/CVE-2023-37191/blob/main/2.png)
 --

File Snapshot

 [4.0K]  /data/pocs/813d137feb5394bbc1415c7ac23c2efe2cc34fac
├── [ 74K]  1.png
├── [ 38K]  2.png
└── [1.3K]  README.md

0 directories, 3 files

Remarks