Crea8Social 1.3 - Persistent Cross-Site Scripting

Author: Halil Dalabasmaz
type: webapps
platform: php
port: 80.0
date_added: 2014-11-25 
date_updated: 2014-11-25 
verified: 0 
codes: OSVDB-115043 
tags: 
aliases:  
screenshot_url:  
application_url: 

# Exploit Title: crea8social 1.3 Stored XSS Vulnerability
# Date: 24-10-2014
# Exploit Author: Halil Dalabasmaz
# Version: v1.3
# Vendor Homepage: http://codecanyon.net/item/crea8social-php-social-networking-platform-v13/9211270
# Tested on: Chrome & Iceweasel

# Vulnerability Description:

===Stored XSS===
Create a page from "Pages" (/pages) section. "Page Website" input is not secure. You can run XSS payloads on "Page Website" input.

Sample Payload for Stored XSS: http://example.com/">[xssPayload]

=Solution=
Filter the input field against to XSS attacks.
================