header-logo
Suggest Exploit
vendor:
Bagisto
by:
Mohamed Abdellatif Jaber
8.8
CVSS
HIGH
Client-Side Template Injection
94
CWE
Product Name: Bagisto
Affected Version From: 1.3.2003
Affected Version To: 1.3.2003
Patch Exists: Yes
Related CWE:
CPE: bagisto
Metasploit:
Other Scripts:
Platforms Tested: Windows, Chrome, Firefox
2021

Bagisto 1.3.3 – Client-Side Template Injection

A client-side template injection vulnerability in Bagisto 1.3.3 allows an attacker to inject arbitrary JavaScript code into the application. An attacker can exploit this vulnerability by registering an account and editing their profile name and address with a malicious payload. When an administrator or any other user views the profile or order, the malicious code will be executed.

Mitigation:

Upgrade to the latest version of Bagisto
Source

Exploit-DB raw data:

# Exploit Title: Bagisto 1.3.3 - Client-Side Template Injection
# Date: 11-25-2021
# Exploit Author: Mohamed Abdellatif Jaber
# Vendor Homepage: https://bagisto.com/en/
# Software Link: https://github.com/bagisto/bagisto
# Version: v1.3.3
# Tested on: [windows | chrome | firefox ]

Exploit :.
1- register an account and login your account
2- go to your profile and edit name , address
2- and put this payload {{constructor.constructor('alert(document.domain)')()}}
3- admin or any one view order or your profile will execute arbitrary JS-code
.

rf:https://portswigger.net/kb/issues/00200308_client-side-template-injection

Navigation

Suggest Exploit

Services By CQR