cbcvebase.
CVE-2023-30256
published 2023-05-11

CVE-2023-30256: Cross Site Scripting vulnerability found in Webkil QloApps v.1.5.2 allows a remote attacker to obtain sensitive information via the back and email_create…

PriorityP341medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
8.73%
94.5th percentile
Cross Site Scripting vulnerability found in Webkil QloApps v.1.5.2 allows a remote attacker to obtain sensitive information via the back and email_create parameters in the AuthController.php file.

Affected

5 ranges
VendorProductVersion rangeFixed in
maradnsmaradns>= 0 < 2.0.13-1.4+deb11u1build0.20.04.12.0.13-1.4+deb11u1build0.20.04.1
maradnsmaradns>= 0 < 2.0.13-1.4+deb11u1build0.22.04.12.0.13-1.4+deb11u1build0.22.04.1
maradnsmaradns>= 0 < 2.0.13-1ubuntu0.1~esm12.0.13-1ubuntu0.1~esm1
maradnsmaradns>= 0 < 2.0.13-1.2ubuntu0.1~esm12.0.13-1.2ubuntu0.1~esm1
webkulqloapps

Detection & IOCsextracted from sources · hover to see the quote

url/?rand=1679996611398&controller=authentication&SubmitCreate=1&ajax=true&email_create=a&back=xss%20onfocus%3dalert(1)%20autofocus%3d%20xss&token=6c62b773f1b284ac4743871b300a0c4d
path/AuthController.php
commandxss onfocus=alert(1) autofocus= xss
commandxss%20onfocus%3dalert(1)%20autofocus%3d%20xss
commandxss%3e%3cimg%20src%3da%20onerror%3dalert(document.cookie)%3exss
commandcontroller=authentication&SubmitCreate=1&ajax=true&email_create=xss%3e%3cimg%20src%3da%20onerror%3dalert(document.cookie)%3exss&back=my-account&token=6c62b773f1b284ac4743871b300a0c4d
  • Detect XSS exploitation attempts against the `back` GET parameter on the QloApps authentication controller endpoint by looking for onfocus/autofocus injection patterns in the URL.
  • Detect XSS exploitation attempts against the `email_create` POST parameter by looking for `<img src=a onerror=` payloads in POST body to the authentication controller.
  • Match HTTP response body containing both `xss onfocus=alert(document.domain) autofocus= xss` and `hasConfirmation` as indicators of successful XSS reflection.
  • Flag requests to `controller=authentication` with `SubmitCreate=1&ajax=true` combined with XSS payloads in `back` or `email_create` parameters.
  • ·The static token value `6c62b773f1b284ac4743871b300a0c4d` appears in all PoC requests; however, this may be a fixed demo token specific to the test instance and may differ in real deployments.
  • ·The `email_create` XSS payload only works via POST request, while the `back` parameter XSS is exploitable via both GET and POST requests.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
osv7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.