CVE-2022–30777

Reflected XSS on sites using Parallels H-Sphere

Discovered by : Ronit Bhatt

Reference: https://en.wikipedia.org/wiki/H-Sphere

Bug Description:

Cross-site scripting (XSS) vulnerability in sites using outdated H-Sphere hosting (3.6.17)allows remote attackers to inject arbitrary web script or HTML via the “from” parameter.

Steps To Reproduce:

1. Visit the home page/Default page of the site using H-Sphere

2. Go to the url mention in the below screenshot i.e./index_en.php?from=”><script>alert(1)</script>. Also at times try hitting the endpoint /index.php instead of /index_en.php

3. BOOM !! XSS would trigger.

Hope you like the blog and find some XSS along with some $$$$ 😎.

LinkedIn: https://www.linkedin.com/in/ronit-bhatt-653a7115b/

Thank you

Ronit Bhatt