Cross-site Scripting (XSS) - Stored in s-cart/core


Reported on

Jan 30th 2022


Multiple Stored XSS exists in S-Cart Version 6.8.4 and below leads to cookie stealing of any victim that visits the affected URL. This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

Proof of Concept

Affecter version: v6.8.4 core 6.8.11

Affected endpoint:

1 POST http://localhost/s-cart/public/sc_admin/auth/setting

2 POST http://localhost/s-cart/public/sc_admin/role/edit/

3 POST http://localhost/sc_admin/permission/edit/

4 POST http://localhost/s-cart/public/sc_admin/checkip/edit/1

Affected module/function:

1 Setting account # Full name field [anyone with roles of Administrator, Manager, Accountant, Marketing, Admin CMS] can conduct this attack.

2 System Config > User permission > Roles # Name field

3 System Config > User permission > Permission # Name field

4 System Config > Security > CheckIp # Description field


<bOdy oNloAd=alert(document.cookie)>

Step to reproduce:

1 Login as Admin

2 Go to System Config > User permission > Roles > Edit any role

3 Insert payload in Name field > submit


Xss will fire-up by user visiting:

1 http://localhost/s-cart/public/sc_admin/user

2 http://localhost/s-cart/public/sc_admin/role

3 http://localhost/s-cart/public/sc_admin/permission

4 http://localhost/s-cart/public/sc_admin/checkip


This vulnerability is capable of deface websites, run malicious javascript code on web pages, stealing a user's cookie and gain unauthorized access to that user's account through the stolen cookie.


We are processing your report and will contact the s-cart/core team within 24 hours. a year ago
We have contacted a member of the s-cart/core team and are waiting to hear back a year ago
Faisal Fs ⚔️ modified the report
a year ago
s-cart validated this vulnerability a year ago
Faisal Fs ⚔️ has been awarded the disclosure bounty
The fix bounty is now up for grabs
s-cart marked this as fixed in 6.8.13 with commit 32b666 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation