Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

CVE-2019-13633 PoC — blinger Blinger.io 跨站脚本漏洞

Source
https://github.com/Security-AVS/CVE-2019-13633
Associated Vulnerability
Title:blinger Blinger.io 跨站脚本漏洞 (CVE-2019-13633)
Description:Blinger.io v.1.0.2519 is vulnerable to Blind/Persistent XSS. An attacker can send arbitrary JavaScript code via a built-in communication channel, such as Telegram, WhatsApp, Viber, Skype, Facebook, Vkontakte, or Odnoklassniki. This is mishandled within the administration panel for conversations/all, conversations/inbox, conversations/unassigned, and conversations/closed.
Readme
# CVE-2019-13633
**[Suggested description]**: Blinger.io v.1.0.2519 is vulnerable to Blind/Persistent XSS.  
**[Additional Information]**:  Blinger.io - is a platform which used by global clients such as FxPro, Alfa Bank, OneTwoTrip, Ivi, KupiVIP Group, Belavia, Wargaming, Yandex,
OZON, TCS Group Holding and others. Performing this attack allow criminals gather critical information about clients of targeted companies, and become basic point of many others attack vectors. An attacker can send arbitrary JavaScript code via a built-in communication channels, such as Telegram, WhatsApp, Viber, Skype, Facebook, and so on.   Code is executed within follow panels:  
- conversations/all  
- conversations/inbox  
- conversations/unassigned  
- conversations/closed

**[Vulnerability Type]**: Cross Site Scripting (XSS)  
**[Vendor of Product]**:  https://blinger.io/  
A letter was sent to the vendor about the vulnerability. Vulnerability was confirmed by vendor.  
**[Affected Component]**:  
https://app.blinger.io/conversations/all  
https://app.blinger.io/conversations/inbox    
https://app.blinger.io/conversations/unassigned    
https://app.blinger.io/conversations/closed      
**[Affected Product Code Base]**: Blinger Omnichannel helpdesk for customer support & sales - v.1.0.2519     
**[Attack Type]**: Remote    
**[Impact Denial of Service]**: False  
**[Impact Information Disclosure]**: True  
**[Attack Vectors]**:  
Attacker send malicious JavaScript code via communication channels built-in the customer web page. Transmitted JavaScript code will be executed in the administration panel of Help Desk service, allowing attacker to steal session cookie, perform phishing attack, gathering critical information about customer clients, etc.  
**[Discovered]**: Alexander Semenenko, Luka Safonov.  
**[Reference]**  
https://blinger.io/  
https://help.blinger.io/changelog  
**[Proof of Concept]**:    
Execution of malicious code and reflection in https://xsshunter.com/:
![stack Overflow]( https://github.com/Aleksander-Semenenko/CVE-2019-13633/blob/main/POC_CVE-2019-13633_3.png)
File Snapshot

 [4.0K]  /data/pocs/e29cee5e2c6916041effe677a429b3f1b6a24f37
├── [ 36K]  POC_CVE-2019-13633_3.png
└── [2.1K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →