CVE-2022–30777
May 16, 2022
Reflected XSS on sites using Parallels H-Sphere
Discovered by : Ronit Bhatt
Reference: https://en.wikipedia.org/wiki/H-Sphere
Bug Description:
Cross-site scripting (XSS) vulnerability in sites using outdated H-Sphere hosting (3.6.17)allows remote attackers to inject arbitrary web script or HTML via the “from” parameter.
Steps To Reproduce:
- Visit the home page/Default page of the site using H-Sphere
2. Go to the url mention in the below screenshot i.e./index_en.php?from=”><script>alert(1)</script>. Also at times try hitting the endpoint /index.php instead of /index_en.php
3. BOOM !! XSS would trigger.
Hope you like the blog and find some XSS along with some $$$$ 😎.
LinkedIn: https://www.linkedin.com/in/ronit-bhatt-653a7115b/
Thank you
Ronit Bhatt