Exploit/Advisories no image

Published on May 27th, 2023 📆 | 2751 Views ⚑


Zenphoto 1.6 Cross Site Scripting – Torchsec

Convert Text to Speech

Exploit Title: Zenphoto 1.6 - Multiple stored XSS
Application: Zenphoto-1.6 xss poc
Version: 1.6
Bugs: XSS
Technology: PHP
Vendor URL: https://www.zenphoto.org/news/zenphoto-1.6/
Software Link: https://github.com/zenphoto/zenphoto/archive/v1.6.zip
Date of found: 01-05-2023
Author: Mirabbas Ağalarov
Tested on: Linux

2. Technical Details & POC
1. create new album
2. write Album Description :
3. save and view album http://localhost/zenphoto-1.6/index.php?album=new-album or http://localhost/zenphoto-1.6/

1. go to user account and change user data (http://localhost/zenphoto-1.6/zp-core/admin-users.php?page=users)
2.change postal code as
3.if admin user information import as html , xss will trigger

poc video : https://youtu.be/JKdC980ZbLY

Source link

Tagged with:

Leave a Reply

Your email address will not be published.