Cross-site Scripting (XSS) - Stored in s-cart/s-cart

Valid

Reported on

Feb 2nd 2022


Description

Stored XSS in S-Cart Version 6.8.3 affecting Product and Category module.

Proof of Concept

Product version: S-Cart Version 6.8.3 core 6.8.10 , https://github.com/s-cart/s-cart/releases/tag/v6.8.3

Vulnerability 1: Stored XSS In Product module

1 Endpoint: POST http://localhost/s-cart/public/sc_admin/product/edit/{productID_here}

2 Parameter: descriptions[en][name]

3 Affected field: Name

4 Payload: <script>alert(document.cookie)</script>

Steps to reproduce:

1 Login as a user with has the permission of the Product module.

2 Go to Product & category > Products.

3 Edit any product and insert payload in Name field > Submit.

Xss will fireup by user visiting:

1 .http://localhost/s-cart/public/sc_admin/product

2 .http://localhost/s-cart/public/sc_admin/report/product

Vulnerability 2: Stored XSS In Category module

1 Endpoint: POST http://localhost/s-cart/public/sc_admin/category/edit/{categoryID_here}

2 Parameter: descriptions[en][title]

3Affected field: Name

4 Payload: Mobile Accessaries - <body onload=alert("sXSS-in-Category-Name")>

Steps to reproduce:

1 Login as a user with has the permission of the Category module.

2 Go to Product & category > Category

3 Edit any category and insert payload in Name field > Submit

Xss will fireup by user visiting:

1 http://localhost/s-cart/public/sc_admin/category

Impact

Through this vulnerability, an attacker is capable to execute malicious scripts.

We are processing your report and will contact the s-cart team within 24 hours. 4 months ago
Faisal Fs
4 months ago

Researcher


For this report, it has been fixed in s-cart/s-cart 6.8.4 and s-cart/core 6.8.11

https://github.com/s-cart/s-cart/commit/48e720c471e1e4ae0bfbba2b49de02de6143b8dd https://github.com/s-cart/core/commit/017951d62fa233b88bb8305e7eb4a13ee2b84efb

Faisal Fs modified the report
4 months ago
Faisal Fs modified the report
4 months ago
s-cart validated this vulnerability 4 months ago
Faisal Fs has been awarded the disclosure bounty
The fix bounty is now up for grabs
s-cart confirmed that a fix has been merged on 5587c2 4 months ago
The fix bounty has been dropped
to join this conversation