✍️ Description

Cross site scripting via redirect url

🕵️‍♂️ Proof of Concept

goto your boxbilling account and visit http://mysite.com/boxbilling/index.php?_url=/bb-admin/extension/settings/redirect . here put xss paylaod xss"'><img src=x onerror=alert()> in the redirect url field After saved you can see xss is executed

Video Poc -->

https://drive.google.com/file/d/1bkFc1xaJo7h2sR6A9znLQbzSnMai6lCj/view?usp=sharing

💥 Impact

xss attack