Skip to content

Instantly share code, notes, and snippets.

@Argonx21

Argonx21/CVE-2023-24516.md

Last active October 15, 2023 15:47
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Argonx21/5ef4d123c975285b3a42835c8e81603a to your computer and use it in GitHub Desktop.
Save Argonx21/5ef4d123c975285b3a42835c8e81603a to your computer and use it in GitHub Desktop.
Download ZIP
CVE-2023-24516
Raw
CVE-2023-24516.md

CVE-2023-24516

# Vulnerability Title: Stored Cross Site Scripting - Special Days Module
# Vendor Homepage: https://pandorafms.com/en/
# Version: <= v767
# CVE: CVE-2023-24516
# CVSS 3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (5.4 Medium)
# Exploit Author: Gaurish Kauthankar
# Date: 22/08/2023

Steps to reproduce:

  1. Create a calendar entry as an attacker.
  2. Click on the special days button.
  3. Select a random date and select the group value as all (to target high-privilege users like admins).
  4. Add the XSS payload in the description field.
  5. Browse the special days module as an admin and hover over the info icon.
  6. The XSS payload will be executed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment