PHPMailer versions prior to 5.2.23 suffer from a cross site scripting vulnerability.
1b25e7c937e0dcc26d33ddd071b6a29508d5f9760b15d8fd0b456d5b8050b7a9[-] Title : PHPMailer < 5.2.23 - Cross-Site Scripting
[-] Author : Shahab Shamsi
[-] Software Link : https://github.com/PHPMailer/PHPMailer
[-] Version: [ 5.2.23 ]
[-] Tested on : [ Kali , Windows ]
[-] Category : Webapps
[-] Date : 2017-06-22
Vulnerable page :
/code_generator.php
Vulnerable Source :
312: echo $from_name;
18: $from_name = $_POST['From_Name'] : '';
313: echo $from_email;
19: $from_email = $_POST['From_Email'] : '';
314: echo $to_name;
20: $to_name = $_POST['To_Name'] : '';
315: echo $to_email;
21: $to_email = $_POST['To_Email'] : '';
POC :
http://localhost/code_generator.php
step 1 = Go To Web Page = http://localhost/code_generator.php
Step 2 = In the box : "From Email Address" AND "To Email Address"
Step 3 = input box , Add JavaScript Code : <script>alert('XSS')</script>
************************
* ==> Contact Me :
* Telegram : @Shahab_Shamsi
* Email : info@securityman.org
* WebSilte : WwW.iran123.Org
************************
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed