Multiple XSS Vulnerabilities exists in the iOrder
Discovered by Nithissh S
Vulnerable Version: 1.0
Vendor Homepage:
Bug Description:
Multiple Stored XSS Vulnerability in the Source Code of iOrder 1.0 allows remote attacker to execute arbitrary code via signup form in the Name and Phone number field.
Steps to Produce:
- First of all we will have a look into the Source code
2. So , as you can see the input fields weren’t properly sanitized
3. So lets register for customer account and replace input field such that Name and Phone number with XSS payload as a example below
4. After the Successful registration , XSS will triggered before and after the authentication
Impact:
If an attacker can control a script that is executed in the victim’s browser, then they can typically fully compromise that user. The attacker can carry out any of the actions that are applicable to the impact of reflected XSS vulnerabilities.
CVE Mitre -> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43440