Hana Flv Player <= 3.1.3 – Authenticated Stored Cross-Site Scripting (XSS) | CVE 2021-24302 | Plugin Vulnerabilities

Description

The plugin was vulnerable to an Authenticated Stored Cross-Site Scripting (XSS) vulnerability within the "Default Skin" field.

Proof of Concept

Step1: Install and activate the plugin. 

Step2: Go to the plugin setting.

Step3: Enter the following payload in the field "Default Skin"

xss"></td></tr></table><script>alert(1)</script><input type='text' name="hflv_skin" value="xss

Step4: Now the script is stored and whenever the user goes to the plugin the script will be executed.

Affects Plugins

hana-flv-player

No known fix

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Kishore Hariram

Submitter

Kishore Hariram

Submitter twitter

Verified

Yes

WPVDB ID

372a66ca-1c3c-4429-86a5-81dbdaa9ec7d

Timeline

Publicly Published

2021-05-05 (about 3 years ago)

Added

2021-05-06 (about 3 years ago)

Last Updated

2021-05-07 (about 3 years ago)

Other

Published

Title

Published

2023-08-29

Title

SureCart < 2.5.1 - Admin+ Stored XSS

Published

2021-07-12

Title

Newsmag < 5.0 - Unauthenticated Reflected Cross-site Scripting (XSS)

Published

2022-10-21

Title

OAuth Client by DigitialPixies <= 1.1.0 - Admin+ Stored Cross-Site Scripting

Published

2020-08-19

Title

Elegant Testimonial <= 1.1.6 - Multiple Authenticated Stored Cross-Site Scripting

Published

2023-11-06

Title

Woocommerce Vietnam Checkout < 2.0.6 - Unauthenticated Stored XSS