| タイトル | Active eCommerce CMS 6.5.0 - Stored XSS |
|---|
| 説明 | Author : skalvin aka (CraCkEr)
Date : 25/06/2023
Website : https://activeitzone.com/active-ecommerce-cms/
Vendor : Active It Zone
Software : Active eCommerce CMS 6.5.0
Vuln Type: Stored XSS
Impact : Manipulate the content of the site
Release Notes:
Allow Attacker to inject malicious code into website, give ability to steal sensitive
information, manipulate data, and launch additional attacks.
## Stored XSS
------------------------------------------------------------
POST /ecommerce/support_ticket HTTP/2
Content-Disposition: form-data; name="details"
<script>alert(1)</script>
------------------------------------------------------------
POST parameter 'details' is vulnerable to XSS
## Steps to Reproduce:
1. Login (as User) "Normal User"
2. Go to [Support Ticket] on this Path (https://website/support_ticket)
3. Click [Create a Ticket]
4. Inject your [XSS Payload] in "Provide a detailed description"
5. Send Ticket
6. When ADMIN Visit [Support Desk] .. [Ticket] to Check [New Tickets] in Administration Panel on this Path (https://website/admin/support_ticket)
7. The ADMIN will click on the [Eye Icon] to View Details and Read The Ticket
8. XSS will Fire & Executed on his Browser
[-] Done |
|---|
| ユーザー | skalvin (UID 49463) |
|---|
| 送信 | 2023年06月25日 13:14 (3 年 ago) |
|---|
| モデレーション | 2023年07月04日 15:50 (9 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 232954 [Active It Zone Active eCommerce CMS 6.5.0 Create Ticket Page support_ticket 詳細 クロスサイトスクリプティング] |
|---|
| ポイント | 17 |
|---|