CVE-2020-24963

MEDIUM

Best Support System v3.0.4 - Authenticated Stored Cross-Site Scripting

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-24963. PoCs published by Ex.Mi.

AI-analyzed exploit summary This exploit demonstrates an authenticated persistent XSS vulnerability in Best Support System 3.0.4 via the 'ticket_body' parameter. The payload injects malicious JavaScript into a ticket reply, which executes when viewed by another user.

Description

An Authenticated Persistent XSS vulnerability was discovered in the Best Support System, tested version v3.0.4.

Exploits (1)

exploitdb WORKING POC

by Ex.Mi · textwebappsphp

https://www.exploit-db.com/exploits/49122

View Code ZIP pw:eip

This exploit demonstrates an authenticated persistent XSS vulnerability in Best Support System 3.0.4 via the 'ticket_body' parameter. The payload injects malicious JavaScript into a ticket reply, which executes when viewed by another user.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Best Support System 3.0.4

Auth required

Prerequisites: Authenticated session · Access to ticket reply functionality

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Various Sources x_refsource_misc

https://medium.com/%40ex.mi/php-best-support-system-v3-0-4-authenticated-persistent-xss-dfe6d4a06f75

Various Sources x_refsource_misc

https://ex-mi.ru/exploit/%5B2020-08-23%5D-%5BPHP%5D-best-support-system-v3.0.4.txt

Scores

CVSS v3 5.4

EPSS 0.0185

EPSS Percentile 76.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

appsbd/best_support_system 3.0.4

Published Sep 04, 2020

Tracked Since Feb 18, 2026