Document Title: =============== Evolution Script CMS v5.3 - Cross Site Scripting Vulnerability Date: ===== 2017-06-07 References: =========== https://www.vulnerability-lab.com/get_content.php?id=2075 VL-ID: ===== 2075 Common Vulnerability Scoring System: ==================================== 3.3 Vulnerability Class: ==================== Cross Site Scripting - Non Persistent Introduction: ============= Developed with a new improved and powerful core. Handy User interface to manage your business. Maximum security for you and your members. (Copy of the Homepage: https://www.evolutionscript.com/ ) Abstract: ========= The vulnerability laboratory core research team discovered a client-side cross site scripting vulnerability in the official Evolution Script v5.3 Content Management System. Report-Timeline: ================ 2017-06-07: Public Disclosure (Vulnerability Laboratory) Status: ======== Published Affected Products: ================== Evolution Script S.A.C. Product: Evolution Script - Content Management System (Web-Application) v5.3 Exploitation-Technique: ======================= Remote Severity: ========= Medium Details: ======== A client-side cross site scripting vulnerability has been discovered in the official Evolution Script v5.3 Content Management System. The issue allows remote attackers to inject script code with client-side attack vector to compromise browser to application requests. The cross site vulnerability is located in the `status` parameter of the `Ticket Support` module. Remote attackers are able to inject own malicious script codes via GET method request. The attack vector is non-persistent and the request method to inject is GET. The vulnerability affects the support and administrator role in the ticket support module. The security risk of the vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.2. Exploitation of the cross site vulnerability requires no privileged web-application user account and low user interaction. Successful exploitation results in session hijacking, non-persistent phishings attacks, non-persistent external redirect and malware loads or non-persistent manipulation of affected and connected module context. Request Method(s): [+] GET Vulnerable Module(s): [+] Support Tickets Vulnerable Parameter(s): [+] status Affected Role(s): [+] Support [+] Admin Proof of Concept: ================= The client-side cross site scripting vulnerability can be exploited by remote attackers without user account and with low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. PoC: Vulnerability http://evolutionscript.localhost:8080/admin/?view=support&do=search&ticket=100&status=[CROSS SITE SCRIPTING VULNERABILITY!] PoC: Exploitation Evolution Script v5.3 - XSS PoC PoC: Vulnerable Source (status)