rlsec.xyz Open in urlscan Pro
172.104.17.149 Public Scan

Back to summary

URL:
http://rlsec.xyz/vulns/CVE_2021_42867.html
Submission: On April 06 via api (April 6th 2022, 3:52:51 pm UTC) from US — Scanned from DE

Form analysis
0 forms found in the DOM

Text Content

CVE-2021-42967: HTMLY 2.8.1 XSS VULNERABILITY

Vulnerabilty found in HTMLy v2.8.1 by "HAXSS" a Reinforcement Learning Agent for
Cross Site Scripting (XSS) testing.


DESCRIPTION:

The "Description" field of the "/admin/config" page of htmly 2.8.1 is subject to
a Cross Site Scripting (XSS) vulnerability. This allows malicious users to send
an authenticated POST HTTP request to inject JavaScript or HTML.


KNOWN PAYLOADS:

 * </body><body onmouseover=alert(1455055833)></body>


STEPS TO REPRODUCE:

1. Log into the admin pannel ('/login').

2. Use the dashboard to navigate to the config page ('/admin/config')

3. Edit the "Description" field on the page to a malicious payload





4. Save the settings

5. Navigate to the home page '/' and the vulnerability is shown

rlsec.xyz Open in urlscan Pro 172.104.17.149 Public Scan

Form analysis 0 forms found in the DOM

Text Content

rlsec.xyz Open in urlscan Pro
172.104.17.149 Public Scan

Form analysis
0 forms found in the DOM