version).
The attacker can steal the admin's cookies and login in the admin panel.
Note: Only the admin can see this.
Steps to perform the vulnerability:
1. Create a new url to shorten --> In the inputs you need write this
payload --> anything"><img src=x onerror=prompt(1)>*
* Javascript code to inject.
2. Click in the button "Shorten"
3. Wait until the administrator logs in the admin panel
Screenshoots:
1. http://i.imgur.com/G4r6uV0.png
2. http://i.imgur.com/jhGR4n2.png
3. http://i.imgur.com/gQYSqgt.png
Thank You, Kind Regards
.
Alvaro Diaz
Email: alvarodiazher@gmail.com
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
The attacker can steal the admin's cookies and login in the admin panel.
Note: Only the admin can see this.
Steps to perform the vulnerability:
1. Create a new url to shorten --> In the inputs you need write this
payload --> anything"><img src=x onerror=prompt(1)>*
* Javascript code to inject.
2. Click in the button "Shorten"
3. Wait until the administrator logs in the admin panel
Screenshoots:
1. http://i.imgur.com/G4r6uV0.png
2. http://i.imgur.com/jhGR4n2.png
3. http://i.imgur.com/gQYSqgt.png
Thank You, Kind Regards
.
Alvaro Diaz
Email: alvarodiazher@gmail.com
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information