Opencart 3.x.x Authenticated Stored XSS
CVE-2019-15081
Description
The Opencart Version 3.x.x allows editing Source/HTML of the Categories / Product / Information pages in the admin panel which isn't sanitized to user input allowing for an attacker to execute arbitrary javascript code leading to Stored Cross-Site-Scripting(XSS).
Proof-of-Concept(POC)
-
Log-in to admin-panel.
-
Navigate to Catlog and then Categories or Products or Information and select any.
-
Under description click on Source option and insert your XSS payload. i.e: "><script>alert("XSS")</script>

-
Now visit the modified page of your public website. And your injected XSS payload will execute.
