Skip to content

Instantly share code, notes, and snippets.

@higordiego

higordiego/cve-xss.md Secret

Created October 11, 2024 22:21
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save higordiego/1c1e1709a6832cb63bbe9e9328f55ff9 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save higordiego/1c1e1709a6832cb63bbe9e9328f55ff9 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
cve-xss.md

Affected Version:

  • Online Eyewear Shop Website: 1.0

Vulnerability Information:

  • Vulnerability Type: Stored Cross-Site Scripting (XSS)
  • Severity: HIGH
  • Status: Unpatched

Vulnerable URL:

  • /admin/?page=inventory/view_inventory&id=2

Vulnerability Description:

A stored XSS vulnerability exists in the Online Eyewear Shop Website version 1.0. This flaw occurs in the product inventory detail section, where stock history entries are stored. Malicious users can inject persistent XSS payloads into this field, potentially allowing attackers to steal session cookies, execute malicious scripts, and compromise both other users and administrators.

Proof of Concept (PoC):

An attacker can inject the following malicious script into the stock history field:

<script>alert('XSS');</script>

Once the script is stored in the system, it will execute whenever the affected page is accessed, leading to the potential theft of sensitive information or other harmful actions.

XSS Example:

  • StoredCss

  • Stored XSS Example

  • Payload Insertion

External Links:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment