******************************************************************************************* # Exploit Title: PHP Scripts Mall Basic B2B Script 2.0.0 has Stored XSS via the First name, Last name, Address 1, City, State, and Company name fields. # Date: 20.07.2018 # Site Titel : B2B Script # Vendor Homepage: https://www.phpscriptsmall.com/ #Vendor Software : https://www.phpscriptsmall.com/product/professional-b2b-script/ # Software Link: http://readymadeb2bscript.com/basic-b2b/ # Category: Web Application # Version: 2.0.9 # Exploit Author: Vikas Chaudhary # Contact: https://www.facebook.com/profile.php?id=100011287630308 # Web: https://gkaim.com/ #Published on : https://gkaim.com/cve-2018-14541-vikas-chaudhary/ # Tested on: Windows 10 -Firefox # CVE- CVE-2018-14541 ***************************************************************************************** Proof of Concept:- -------------------------- 1. Go to the site (https://www.server.com/professional-b2b-script/ ). 2- Click on Join Free => Fill the Form and Create an Account using your name email and soo on ... 3- Goto your mail and Verify it. 4-Come back to site and Login using your Verified Mail and Password. 6- When loged in ,goto My Profile => Edit Profile and fill the these Scripts in given parameter. in FIRST NAME => "> in LAST NAME => "> in ADDRESS 1 => "> in ADDRESS 2 => "> in CITY => "> in STATE => "> in COMPANY NAME => "> Now click on SUBMIT and refresh the page You will having popup of /VIKAS/ , /CHAUDHARY/ , / MYAIM/ . /GKAIM/ , /HRPF/ , /ETHICAL/ , /HACKER/ in you account.. ***************************************************************************************