Description

Multiple Stored XSS exists in S-Cart Version 6.8.4 and below leads to cookie stealing of any victim that visits the affected URL. This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

Proof of Concept

Affecter version: v6.8.4 core 6.8.11

Affected endpoint:

1 POST http://localhost/s-cart/public/sc_admin/auth/setting

2 POST http://localhost/s-cart/public/sc_admin/role/edit/

3 POST http://localhost/sc_admin/permission/edit/

4 POST http://localhost/s-cart/public/sc_admin/checkip/edit/1

Affected module/function:

1 Setting account # Full name field [anyone with roles of Administrator, Manager, Accountant, Marketing, Admin CMS] can conduct this attack.

2 System Config > User permission > Roles # Name field

3 System Config > User permission > Permission # Name field

4 System Config > Security > CheckIp # Description field

Payload:

<bOdy oNloAd=alert(document.cookie)>

Step to reproduce:

1 Login as Admin

2 Go to System Config > User permission > Roles > Edit any role

3 Insert payload in Name field > submit

_

Xss will fire-up by user visiting:

1 http://localhost/s-cart/public/sc_admin/user

2 http://localhost/s-cart/public/sc_admin/role

3 http://localhost/s-cart/public/sc_admin/permission

4 http://localhost/s-cart/public/sc_admin/checkip

Impact

This vulnerability is capable of deface websites, run malicious javascript code on web pages, stealing a user's cookie and gain unauthorized access to that user's account through the stolen cookie.