# Exploit Title: [IBM Sterling B2B Integrator persistent cross-site scripting] # Exploit Author: [Vikas Khanna] (https://www.linkedin.com/in/leetvikaskhanna/) (https://twitter.com/MR_SHANU_KHANNA) # Vendor Homepage: [https://www.ibm.com/support/knowledgecenter/en/SS3JSW_5.2.0/com.ibm.help.overview.doc/si_overview.html] # Version: [IBM Sterling B2B Integrator 5.2.0.1 - 5.2.6.3] (REQUIRED) # CVE : [CVE-2018-1513 & CVE-2018-1563] Vulnerability Details Vulnerability Name : Persistent Cross Site Scripting Affected Parameter(s) : fname & lname Steps to reproduce Step 1 : Login to the IBM Sterling B2B Integrator. Step 2 : Navigate to Performance Tuning module, Username will be displayed as below :- Last Edited By Note :- Modify the configuration for example and check the Last Edited By - Username. Any user (Admin or Non admin) who have privileges to change the configuration can act like an attacker. Step 3 : Navigate to My Account and update first name and last name. Step 4: Intercept the request using burp suite and insert the