Skip to content

Instantly share code, notes, and snippets.

@Argonx21
Last active October 15, 2023 15:47

Revisions

  1. Argonx21 revised this gist Oct 15, 2023. No changes.
  2. Argonx21 created this gist Oct 15, 2023.
    20 changes: 20 additions & 0 deletions CVE-2023-24516.md
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,20 @@
    # CVE-2023-24516

    **# Vulnerability Title:** Stored Cross Site Scripting - Special Days Module
    **# Vendor Homepage:** https://pandorafms.com/en/
    **# Version:** <= v767
    **# CVE:** CVE-2023-24516
    **# CVSS 3.1:** CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (5.4 Medium)
    **# Exploit Author:** Gaurish Kauthankar
    **# Date:** 22/08/2023




    ## **Steps to reproduce:**
    1. Create a calendar entry as an attacker.
    2. Click on the **special days button**.
    3. Select a random date and select the **group** value as **all** (to target high-privilege users like admins).
    5. Add the XSS payload in the **description** field.
    6. Browse the special days module as an admin and hover over the **info icon**.
    7. The XSS payload will be executed.