######################################################################### Exploit Title: Match Clone Script 1.0.4 - Cross-Site Scripting# Date: 23.02.2018# Vendor Homepage: https://www.phpscriptsmall.com/# Software Link: https://www.phpscriptsmall.com/product/match-clone/# Category: Web Application# Exploit Author: ManhNho# Version: 1.0.4# Tested on: Window 10 / Kali Linux# CVE: CVE-2018-9857##########################################################################
Description
------------------------
PHP Scripts Mall Match Clone Script 1.0.4 has XSS via the search field to
searchbyid.php (aka the "View Search By Id" screen).
Proof of Concept
------------------------1. Access to site
2. Choose “Search”
3. Choose "View Search By Id"3. Put <script>alert('ManhNho')</script>in search field
4. You will be having a popup: ManhNho
References:------------------------
https://pastebin.com/Y9uEC4nu
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9857
