Post by qwerty_man » Fri Feb 19, 2021 6:17 pm

Description:
Stored XSS in Opencart filemanager. Administrator can upload image with XSS in filename.

Software:
1. Browser: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0;
2. OS: Parrot Security 4.10.

Steps to reproduce:
1. Login as admin;
2. Go to Catalog -> Products;
3. Edit Product;
4. Click the Image tab;
5.Create a payload. It’s could be a .png file. Filename for example:

Code: Select all

"><svg onload=alert("XSS")>.png
6. Upload file. XSS works.

Supporting Material/References:
Video: https://youtu.be/FiifKA7PE8s

If this vulnerability is insignificant and the information can be published, please, let me know about it. Thanks!

Newbie

Posts

Joined
Wed Feb 17, 2021 2:00 am

Active Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by qwerty_man » Sun Feb 21, 2021 5:05 am


Newbie

Posts

Joined
Wed Feb 17, 2021 2:00 am
Who is online

Users browsing this forum: No registered users and 2 guests