Home > CVE > CVE-2018-20632- PHP Scripts Mall Advance B2B Script 2.1.4 has stored Cross-Site Scripting (XSS) Vulnerability.

CVE-2018-20632- PHP Scripts Mall Advance B2B Script 2.1.4 has stored Cross-Site Scripting (XSS) Vulnerability.

CVE-2018-20632-vikas-chaudhary

******************************************************
# Exploit Title: PHP Scripts Mall Advance B2B Script 2.1.4 has stored Cross-Site Scripting (XSS) via the FIRST NAME orLAST NAME field.
# Date: 30.12.2018
# Site Title : Entrepreneur B2B Script
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: http://198.38.86.159/~nced2bvda/index.php
# Category: Web Application
# Version: 2.1.4
# Exploit Author: Vikas Chaudhary
# Contact: https://www.facebook.com/profile.php?id=100011287630308
# Web: https://gkaim.com/
# Tested on: Windows 10 -Firefox
# CVE-2018-20632.
********************************************************
## VENDOR SUMMARY :- PHP Scripts Mall Pvt. Ltd. is a professional software selling portal offering wide range of innovative. PHP Scripts Mall is a leading business and technology firm with 12 years of successful track record in completion and implementation of numerous projects in various
verticals and domains.. It has 300 plus PHP scripts ready to buy.

## Vulnerability Description=> Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.
**********************************************************
Proof of Concept:-
————————–
1. Go to the site ( http://198.38.86.159/~nced2bvda/index.php ) .
2- Click on Register and choose buyer
3-Fill the form using your mail and verify it
4-Login to site and go to account setting
5-Now then fill the Form using these given script

in First Name =>


And in
in LAST NAME => “><*img src=x onerror=*prompt(/Vikas/)>
in CITY => “><*img src =x onError=*alert(“chaudhary”)>
NOTE=> Remove * from these 2 Codes
6-Now click on save
7-Code will be show.
8-Press back button and refresh the page , You will having popup of /VIKAS/ , /CHAUDHARY/ and then You will see magic.

Admin
Welcome Sir, .. Myself Vikas Chaudhary , i was interested in general knowledge since childhood , so i thought why not to share my knowledge with you, that's why i created this educational blog. Here you find world wide general knowledge of all Latest technology , Science & History Que , and Mysterious fact of the world. Here you also find knowledge about cyber security. Thanks for visit.. keep supporting....keep Loving
https://www.gkaim.com

Leave a Reply

%d bloggers like this: