Mobile Atlas Creator (MOBAC) contains a flaw that allows a persistent cross-site scripting (XSS) attack. This flaw exists because the application does not validate input passed via map names in an atlas. With a specially crafted Atlas Map file that is sent and subsequently opened by the victim, an attacker can execute arbitrary script code.
Proof of Concept:
The vulnerability can be exploited by local attackers with low privilege system user account and low user interaction.
For demonstration or reproduce ...
Manually steps to reproduce ...
1) Install and open atlas software
2) In the menu, goto Atlas -> New Atlas
3) Use the following payload as the Atlas name >"<iframe src=http://www.vulnerability-lab.com
4) Click OK to save the input with the non-malicious test frame
5) Right click on the Atlas Content and click the Show Details menu button
6) The script code with the test frame will be executed in the main software when processing to load the show details function of the main listing module.