Skip to content

Instantly share code, notes, and snippets.

@Argonx21
Last active October 15, 2023 15:47
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save Argonx21/5ef4d123c975285b3a42835c8e81603a to your computer and use it in GitHub Desktop.
CVE-2023-24516

CVE-2023-24516

# Vulnerability Title: Stored Cross Site Scripting - Special Days Module
# Vendor Homepage: https://pandorafms.com/en/
# Version: <= v767
# CVE: CVE-2023-24516
# CVSS 3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (5.4 Medium)
# Exploit Author: Gaurish Kauthankar
# Date: 22/08/2023

Steps to reproduce:

  1. Create a calendar entry as an attacker.
  2. Click on the special days button.
  3. Select a random date and select the group value as all (to target high-privilege users like admins).
  4. Add the XSS payload in the description field.
  5. Browse the special days module as an admin and hover over the info icon.
  6. The XSS payload will be executed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment