Skip to content

Instantly share code, notes, and snippets.

@Argonx21

Argonx21/CVE-2023-24516.md

Last active October 15, 2023 15:47
Download ZIP
CVE-2023-24516
Raw
CVE-2023-24516.md

CVE-2023-24516

# Vulnerability Title: Stored Cross Site Scripting - Special Days Module
# Vendor Homepage: https://pandorafms.com/en/
# Version: <= v767
# CVE: CVE-2023-24516
# CVSS 3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (5.4 Medium)
# Exploit Author: Gaurish Kauthankar
# Date: 22/08/2023

Steps to reproduce:

  1. Create a calendar entry as an attacker.
  2. Click on the special days button.
  3. Select a random date and select the group value as all (to target high-privilege users like admins).
  4. Add the XSS payload in the description field.
  5. Browse the special days module as an admin and hover over the info icon.
  6. The XSS payload will be executed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment