Vulnerability Title: Reflected Cross Site Scripting - Network maps editor module
Vendor Homepage: https://pandorafms.com/en/
Version: <= v765
CVE: CVE-2022-45436
CVSS 3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (4.8 Medium)
Exploit Author: Damodar Naik
Date: 02/14/2023
- Navigate to Topology maps -> Network map as an attacker, and click on the help button.
- Capture the request in burpsuite and at parameter b insert the XSS payload.
- Using some phishing technique, lure the admin or any other user visit the URL.
- The XSS payload gets executed.