BTCPay Server version 1.7.4 suffers from an html injection vulnerability.
7b676ccd3161076b331bafa5576dc23708fc5db6228898c579ebde24a271042e# Exploit Title: BTCPay Server v1.7.4 - HTML Injection
# Date: 01/26/2023
# Exploit Author: Manojkumar J (TheWhiteEvil)
# Vendor Homepage: https://github.com/btcpayserver/btcpayserver
# Software Link:
https://github.com/btcpayserver/btcpayserver/releases/tag/v1.7.5
# Version: <=1.7.4
# Tested on: Windows10
# CVE : CVE-2023-0493
# Description:
BTCPay Server v1.7.4 HTML injection vulnerability.
# Steps to exploit:
1. Create an account on the target website.
Register endpoint: https://target-website.com/register#
2. Move on to the API key and create API key with the html injection in the
label field.
Example:
<a href="https://hackerbro.in">clickhere</a>
3. Click remove/delete API key, the html injection will render.
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed