Cross-site Scripting (XSS) - Stored in s-cart/core

Valid

Reported on

Jan 30th 2022


Description

Multiple Stored XSS exists in S-Cart Version 6.8.4 and below leads to cookie stealing of any victim that visits the affected URL. This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

Proof of Concept

Affecter version: v6.8.4 core 6.8.11

Affected endpoint:

1 POST http://localhost/s-cart/public/sc_admin/auth/setting

2 POST http://localhost/s-cart/public/sc_admin/role/edit/

3 POST http://localhost/sc_admin/permission/edit/

4 POST http://localhost/s-cart/public/sc_admin/checkip/edit/1

Affected module/function:

1 Setting account # Full name field [anyone with roles of Administrator, Manager, Accountant, Marketing, Admin CMS] can conduct this attack.

2 System Config > User permission > Roles # Name field

3 System Config > User permission > Permission # Name field

4 System Config > Security > CheckIp # Description field

Payload:

<bOdy oNloAd=alert(document.cookie)>

Step to reproduce:

1 Login as Admin

2 Go to System Config > User permission > Roles > Edit any role

3 Insert payload in Name field > submit

_

Xss will fire-up by user visiting:

1 http://localhost/s-cart/public/sc_admin/user

2 http://localhost/s-cart/public/sc_admin/role

3 http://localhost/s-cart/public/sc_admin/permission

4 http://localhost/s-cart/public/sc_admin/checkip

Impact

This vulnerability is capable of deface websites, run malicious javascript code on web pages, stealing a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

References

We are processing your report and will contact the s-cart/core team within 24 hours. 4 months ago
We have contacted a member of the s-cart/core team and are waiting to hear back 4 months ago
Faisal Fs modified the report
4 months ago
s-cart validated this vulnerability 4 months ago
Faisal Fs has been awarded the disclosure bounty
The fix bounty is now up for grabs
s-cart confirmed that a fix has been merged on 32b666 4 months ago
The fix bounty has been dropped
to join this conversation