CVE-2020-35249

MEDIUM

elkarbackup 1.3.3 - Stored Cross-Site Scripting via Client Name Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-35249. PoCs published by Enes Özeser.

AI-analyzed exploit summary This exploit demonstrates a persistent XSS vulnerability in ElkarBackup 1.3.3 by injecting malicious JavaScript payloads into the 'Name' field of the 'Add client' feature. The payloads are executed when the page is viewed, confirming the vulnerability.

Description

Cross Site Scripting (XSS) vulnerability in ElkarBackup 1.3.3, allows attackers to execute arbitrary code via the name parameter to the add client feature.

Exploits (1)

exploitdb WORKING POC

by Enes Özeser · textwebappsphp

https://www.exploit-db.com/exploits/48756

View Code ZIP pw:eip

This exploit demonstrates a persistent XSS vulnerability in ElkarBackup 1.3.3 by injecting malicious JavaScript payloads into the 'Name' field of the 'Add client' feature. The payloads are executed when the page is viewed, confirming the vulnerability.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: ElkarBackup 1.3.3

Auth required

Prerequisites: Valid credentials for the ElkarBackup application · Access to the 'Jobs' section with permission to add clients

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

https://www.exploit-db.com/exploits/48756

Scores

CVSS v3 6.1

EPSS 0.0112

EPSS Percentile 62.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

elkarbackup/elkarbackup 1.3.3

Published Nov 02, 2021

Tracked Since Feb 18, 2026