CVEs-PoC/2020/CVE-2020-24912.md

### [CVE-2020-24912](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24912)
![](https://img.shields.io/static/v1?label=Product&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brighgreen)

### Description

A reflected cross-site scripting (XSS) vulnerability in qcubed (all versions including 3.1.1) in profile.php via the stQuery-parameter allows unauthenticated attackers to steal sessions of authenticated users.

### POC

#### Reference
- http://seclists.org/fulldisclosure/2021/Mar/30
- https://tech.feedyourhead.at/content/QCubed-Cross-Site-Scripting-CVE-2020-24912
- https://www.ait.ac.at/themen/cyber-security/pentesting/security-advisories/ait-sa-20210215-03

#### Github
- https://github.com/ARPSyndicate/kenzer-templates