The Inj3ct0r team has found Reflected Cross Site scripting(XSS) vulnerability in the official website of Vulnerability-Lab.
The subdomain of Vulnerability Lab (video.vulnerability-lab.com/) that host video demo of exploits, has been found to be vulnerable to the non-persistent XSS security flaw.
The inj3ct0r team provided us the POC for the vulnerability :
173.0.61.44/video/?s="><script>alert("Inj3ct0r Team found Xss on vulnerability-lab")</script>&x=7&y=8The above code will display a popup with the text "Inj3ct0r Team found Xss on vulnerability-lab". At first the URL confused me, it points to some other IP.
But I visit "video.vulnerability-lab.com" website and verified the security flaw by entering the script . It seems like the result is being loaded from the above mentioned IP address.
"We know already about the issue 3 week ago."The vulnerability Lab team has responded. "The issue is not exploitable ... its fake because the issue is located in the website were no login is in use even if it is wordpress."
"The module and the video blog itself was secured ... only the update made the vulnerable module back available."
