CVE-2023-30256

MEDIUM NUCLEI

QloApps 1.5.2 - Cross-Site Scripting via AuthController Parameters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2023-30256. PoCs published by Astik Rawat, ahrixia. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit demonstrates a Cross-Site Scripting (XSS) vulnerability in Webkul Qloapps 1.5.2, where the 'back' and 'email_create' parameters are vulnerable to XSS payloads. The PoC includes both GET and POST request examples with payloads that trigger JavaScript execution.

Description

Cross Site Scripting vulnerability found in Webkil QloApps v.1.5.2 allows a remote attacker to obtain sensitive information via the back and email_create parameters in the AuthController.php file.

Exploits (2)

exploitdb WORKING POC
by Astik Rawat · textwebappsphp
https://www.exploit-db.com/exploits/51465

This exploit demonstrates a Cross-Site Scripting (XSS) vulnerability in Webkul Qloapps 1.5.2, where the 'back' and 'email_create' parameters are vulnerable to XSS payloads. The PoC includes both GET and POST request examples with payloads that trigger JavaScript execution.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Webkul Qloapps 1.5.2
No auth needed
Prerequisites: Access to the login page of the target application
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 3 stars
by ahrixia · poc
https://github.com/ahrixia/CVE-2023-30256

This repository contains a proof-of-concept for a Cross-Site Scripting (XSS) vulnerability in Webkul QloApps 1.5.2, affecting the 'email_create' and 'back' parameters. The PoC includes payloads and request examples demonstrating the exploitation of these parameters.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Webkul QloApps 1.5.2
No auth needed
Prerequisites: Access to the vulnerable application
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Webkul QloApps 1.5.2 - Cross-site Scripting
MEDIUMVERIFIEDby theamanrawat
FOFA: title="qloapps"

References (4)

Core 4

Scores

CVSS v3 6.1
EPSS 0.0873
EPSS Percentile 94.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
webkul/qloapps 1.5.2
Published May 11, 2023
Tracked Since Feb 18, 2026