Cosmoshop Cross Site Scripting

2015.02.17

Credit: l0om

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

author: l0om
page: l0om.org
date: 14.02.2015

Cosmoshop is a simple webshop designed for the german market.

There is a simple XSS flaw at the admin-login panel in probably all cosmoshop versions. The admin login can be found at

http://www.shop-site.de/cgi-bin/cosmoshop/admin/index.cgi

This page will show a typical login screen. The username field is filled with the value of "u_name". Since this parameter isn't filtered you can inject javascript code and trick someone to execute it.

http://www.shop-site.de/cgi-bin/cosmoshop/admin/index.cgi?u_name=><script>alert("hello")</script>

nothing special but better to know.

Greetings and so long,
l0om

See this note in RAW Version

Vote for this issue:

50%

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

Cosmoshop Cross Site Scripting

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Cosmoshop Cross Site Scripting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.