PayMoney 3.3 is vulnerable to Stored Cross-Site Scripting (XSS) during replying the ticket. The XSS can be obtain from injecting under "Message" field with "description" parameter with the specially crafted payload to gain Stored XSS. The XSS then will prompt after that or can be access from the view ticket function.
References
Link | Resource |
---|---|
https://github.com/saitamang/POC-DUMP/tree/main/PayMoney | Exploit Third Party Advisory |
https://paymoney.techvill.org/ | Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2022-09-14T03:24:01
Updated: 2022-09-14T03:24:01
Reserved: 2022-08-01T00:00:00
Link: CVE-2022-37137
JSON object: View
NVD Information
Status : Analyzed
Published: 2022-09-14T11:15:50.153
Modified: 2022-09-16T03:19:03.430
Link: CVE-2022-37137
JSON object: View
Redhat Information
No data.
CWE