16 lines
No EOL
623 B
Text
16 lines
No EOL
623 B
Text
# Exploit Title: Bagisto 1.3.3 - Client-Side Template Injection
|
|
# Date: 11-25-2021
|
|
# Exploit Author: Mohamed Abdellatif Jaber
|
|
# Vendor Homepage: https://bagisto.com/en/
|
|
# Software Link: https://github.com/bagisto/bagisto
|
|
# Version: v1.3.3
|
|
# Tested on: [windows | chrome | firefox ]
|
|
|
|
Exploit :.
|
|
1- register an account and login your account
|
|
2- go to your profile and edit name , address
|
|
2- and put this payload {{constructor.constructor('alert(document.domain)')()}}
|
|
3- admin or any one view order or your profile will execute arbitrary JS-code
|
|
.
|
|
|
|
rf:https://portswigger.net/kb/issues/00200308_client-side-template-injection |