| Title | Active eCommerce CMS 6.5.0 - Stored XSS |
|---|
| Description | Author : skalvin aka (CraCkEr)
Date : 25/06/2023
Website : https://activeitzone.com/active-ecommerce-cms/
Vendor : Active It Zone
Software : Active eCommerce CMS 6.5.0
Vuln Type: Stored XSS
Impact : Manipulate the content of the site
Release Notes:
Allow Attacker to inject malicious code into website, give ability to steal sensitive
information, manipulate data, and launch additional attacks.
## Stored XSS
------------------------------------------------------------
POST /ecommerce/support_ticket HTTP/2
Content-Disposition: form-data; name="details"
<script>alert(1)</script>
------------------------------------------------------------
POST parameter 'details' is vulnerable to XSS
## Steps to Reproduce:
1. Login (as User) "Normal User"
2. Go to [Support Ticket] on this Path (https://website/support_ticket)
3. Click [Create a Ticket]
4. Inject your [XSS Payload] in "Provide a detailed description"
5. Send Ticket
6. When ADMIN Visit [Support Desk] .. [Ticket] to Check [New Tickets] in Administration Panel on this Path (https://website/admin/support_ticket)
7. The ADMIN will click on the [Eye Icon] to View Details and Read The Ticket
8. XSS will Fire & Executed on his Browser
[-] Done |
|---|
| User | skalvin (UID 49463) |
|---|
| Submission | 06/25/2023 13:14 (3 years ago) |
|---|
| Moderation | 07/04/2023 15:50 (9 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 232954 [Active It Zone Active eCommerce CMS 6.5.0 Create Ticket Page support_ticket Details cross site scripting] |
|---|
| Points | 17 |
|---|