PH03N1XSP / CVE-2023-5024

• Exploit Title: PLANNO 23.04.04 COMMENT CROSS SITE SCRIPTING
• Exploit Author: Angel Metz AKA PH03N1XSP
• Vendor Homepage: Planno
• Software Link: GitHub - PlanningBiblio
• Version: <= 23.04.04
• Tested on: Linux
• CVE-2023-5024

A vulnerability has been discovered in Planno version <= 23.04.04, and it has been categorized as problematic. This vulnerability affects an undisclosed portion of the Comment Handler component's code and can lead to cross-site scripting (XSS) attacks. It has been assigned the name CVE-2023-5024. Importantly, this type of attack can be initiated remotely, and furthermore, an exploit is known to exist to exploit this vulnerability.

1. Proceed to log in using your credentials.
2. Navigate to the bottom and click on "Ajouter un commentaire."
3. Write a malicious script to obtain a Reflected XSS ("><script>alert(1);</script>)
4. Once the script is entered, proceed to obtain the reflected XSS.

1. Proceed to log in using your credentials.
2. Go to the upper right and click on "Enregistrer comme modele."
3. In "Nom du module," write a malicious script to obtain a Reflected XSS ("><script>alert(1);</script>) and then click on "Enregistrer."
4. Once the script is entered, proceed to obtain the reflected XSS.

You can learn more about it at the following links:

• CVE-2023-5024 - NVD
• CVE-2023-5024 - VulDB
• CVE-2023-5024 - INCIBE
• CVE-2023-5024 - CVE Report
• CVE-2023-5024 - Debricked
• CVE-2023-5024 - GitHub Advisories
• CVE-2023-5024 - MITRE CVE