Zenario 9.7.61188-Reflect XSS

Description:

# A Reflected XSS Issue is discovered in Zenario 9.7.61188

# We found a vulnerability XSS that allow attackers to reflect XSS via Editing properties of image in Image library.

Affected Component:

http://[ip]/zenario-probusiness-9.7/organizer.php?fromCID=1&fromCType=html#zenario__library/panels/image_library//5~.zenario_image~tdetails~k{%22id%22%3A%225%22}

Payload:

<script>alert(/Grim The Ripper Team by SOSECURE Thailand/)</script>

Proof of Concept:

First, login to the target application.

Enter to Target http://IP/zenario-probusiness-9.7/

We login to the target application with admin privileges.

Login to console page as admin.

Select Manu then click on Image library function.

Console page of Administrator.

Select Image properties and link function.

page of Image library.

Input the XSS payload in the Organizer tags.

Input payload in Organizer tags.

Next, then click “Save” button.

Execute to page was Save.

The XSS payload will run immediately.

Payload was execute.

Author:

Grim The Ripper Team by SOSECURE Thailand