32 lines
No EOL
1.5 KiB
Text
32 lines
No EOL
1.5 KiB
Text
# Exploit Title: Shopizer 2.16.0 - 'Multiple' Cross-Site Scripting (XSS)
|
|
# Date: 23-05-2021
|
|
# Exploit Author: Marek Toth
|
|
# Vendor Homepage: https://www.shopizer.com
|
|
# Software Link: https://github.com/shopizer-ecommerce/shopizer
|
|
# Version: <= 2.16.0
|
|
# CVE: CVE-2021-33561, CVE-2021-33562
|
|
|
|
Stored XSS - 'customer_name' Administration
|
|
|
|
Description:
|
|
A stored cross-site scripting (XSS) vulnerability in Shopizer before version 2.17.0 allows remote attackers to inject arbitrary web script or HTML via customer_name in various forms of store administration and saved in the database. The code is executed for any user of store administration when information is fetched from backend.
|
|
|
|
Steps to reproduce:
|
|
1. Open "http://example.com/admin/" and login to the administration
|
|
2. Open "Customers" (http://example.com/admin/customers/list.html) and click on the "Details" button
|
|
3. Change customer name to <script>alert(1)</script> and save it
|
|
4. Open "Customers" -> XSS payload will trigger
|
|
|
|
Except "Customers" section, XSS will be executed in "Orders" (/admin/orders/list.html) and "Recent orders" (/admin/home.html)
|
|
|
|
Reflected XSS - 'ref' parameter
|
|
|
|
Description:
|
|
A reflected cross-site scripting (XSS) vulnerability in Shopizer before version 2.17.0 allows remote attackers to inject arbitrary web script or HTML via the 'ref' parameter.
|
|
|
|
Payloads:
|
|
'+alert(1)+'
|
|
'+eval(String.fromCharCode(97,108,101,114,116,40,39,88,83,83,39,41))+'
|
|
|
|
PoC:
|
|
http://example.com/shop/product/vintage-bag-with-leather-bands.html/ref='+alert(1)+' |