Page 1 of 1
Stored XSS in Playlist Name Parameter Under Playlists Tab [#20451]
Posted: Thu Nov 30, 2023 11:14 am
by Mayur
Description:
We observed that Cross-site scripting vulnerabilities occur when user-supplied input is not properly validated & output is not properly escaped for the below vulnerable parameter.
In this observation, the attacker added the malicious script as payload in the Playlist Name field while creating the new Playlist which resulted in the execution of a Stored XSS attack.
RISK FACTOR: High
Affected Component: Playlist Name parameter.
Steps to reproduce:
1) Open the monkey media app and enter into the Playlist tab. While creating the new playlist, under the name filed add this {asdf"><img src=x onerror=alert(1)>} XSS playload and save it.
2) You will observe that the stored XSS attack got executed.
Stored XSS in Playlist Name Parameter Under Playlists Tab.
Posted: Thu Nov 30, 2023 11:29 am
by Mayur
Description:
We observed that Cross-site scripting vulnerabilities occur when user-supplied input is not properly validated & output is not properly escaped for the below vulnerable parameter.
In this observation, the attacker added the malicious script as payload in the Playlist Name field while creating the new Playlist which resulted in the execution of a Stored XSS attack.
RISK FACTOR: High
Affected Component: Folder Name parameter.
Steps to reproduce:
1) Open the monkey media app and enter into the Devices & Services tab.
2) While creating the new Storage and Services, select Local Storage(folder), and under that select Network and change any network name.
3) Under the name filed add this {asdf"><img src=x onerror=alert(1)>} XSS payload and save it, you will observe that the stored XSS attack got executed.
4) While deleting that same edited folder you will observe another error based Stored XSS.
Re: Stored XSS in Playlist Name Parameter Under Playlists Tab.
Posted: Fri Dec 01, 2023 11:32 am
by Ludek
Re: Stored XSS in Playlist Name Parameter Under Playlists Tab [#20451]
Posted: Mon Dec 04, 2023 1:34 am
by Mayur
Hi Ludek,
This issue is different, it comes under the Devices & Services tab and I don't have access to this link that you have given please give me access and please let me know about the CVE.
Thanks,
Mayur
Reflected XSS under Home page Search filed
Posted: Mon Dec 04, 2023 1:41 am
by Mayur
Description:
We observed that Cross-site scripting vulnerabilities occur when user-supplied input is not properly validated & output is not properly escaped for the below vulnerable parameter.
In this observation, the attacker added the malicious script as a payload in the Search field while searching which resulted in the execution of a Reflected XSS attack.
RISK FACTOR: High
Affected Component: Search parameter.
Steps to reproduce:
1) Open the monkey media app, on the right-hand side you will able to see the search field add this {asdf"><img src=x onerror=alert(1)>} XSS payload and click search
2) You will observe that the Reflected XSS attack got executed.
Re: Reflected XSS under Home page Search filed
Posted: Mon Dec 04, 2023 2:29 am
by Peke