Skip to content

Instantly share code, notes, and snippets.

@CoffeeW-1337
Last active June 15, 2020 15:48
Show Gist options
  • Save CoffeeW-1337/b93223b7507e0d43d764a70eba00473b to your computer and use it in GitHub Desktop.
Save CoffeeW-1337/b93223b7507e0d43d764a70eba00473b to your computer and use it in GitHub Desktop.
CVE-2019-13583
CVE-2019-13583
An issue was discovered in Xtream Codes 1.60.0. It is an XSS chained with
CSRF, leading to remote command execution as the payload is
stored on a page that is frequently viewed by an admin.
[Additional Information]
A captcha bypass is needed if scripted, a fast function with selenium works well.
The attacker inject the payload which will be reflected in a page.
With social engineering the attacker can push the admin to go to the
page where the payload is reflected, even without social engineering
the page is regularly viewed by an admin.
Gives admin privileges on
the CMS backend, all the customers usernames & passwords and can be leveraged to a reverse
shell as a sudoer user on the reseller's server.
[VulnerabilityType Other]
Stored XSS chained with a CSRF leading to a RCE
[Vendor of Product]
Xtream-Codes LTD
[Affected Product Code Base]
Xtream-Codes CMS - 1.60
[Affected Component]
Login page
[Attack Type]
Remote
[Impact Code execution]
true
[Impact Escalation of Privileges]
true
[Attack Vectors]
The attacker inject the payload which will be reflected in a page.
[Reference]
https://xtream-codes.com/
[Discoverer]
Coffee & Weed
Cheers to : KalAp / Adibou
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment