- Exploit Title: PLANNO 23.04.04 COMMENT CROSS SITE SCRIPTING
- Exploit Author: Angel Metz AKA PH03N1XSP
- Vendor Homepage: Planno
- Software Link: GitHub - PlanningBiblio
- Version: <= 23.04.04
- Tested on: Linux
- CVE-2023-5024
A vulnerability has been discovered in Planno version <= 23.04.04, and it has been categorized as problematic. This vulnerability affects an undisclosed portion of the Comment Handler component's code and can lead to cross-site scripting (XSS) attacks. It has been assigned the name CVE-2023-5024. Importantly, this type of attack can be initiated remotely, and furthermore, an exploit is known to exist to exploit this vulnerability.
- Proceed to log in using your credentials.
- Navigate to the bottom and click on "Ajouter un commentaire."
- Write a malicious script to obtain a Reflected XSS (
"><script>alert(1);</script>
) - Once the script is entered, proceed to obtain the reflected XSS.
- Proceed to log in using your credentials.
- Go to the upper right and click on "Enregistrer comme modele."
- In "Nom du module," write a malicious script to obtain a Reflected XSS (
"><script>alert(1);</script>
) and then click on "Enregistrer." - Once the script is entered, proceed to obtain the reflected XSS.
You can learn more about it at the following links: