Cross-Site Scripting Vulnerability in ECTOOLS Onlineshop

vendor:

Onlineshop

by:

Unknown

7.5

CVSS

HIGH

Cross-Site Scripting

CWE

Product Name: Onlineshop

Affected Version From: Unknown

Affected Version To: Unknown

Patch Exists: NO

Related CWE: Not provided

CPE: a:ectools:onlineshop

Metasploit:

Other Scripts:

Platforms Tested: Unknown

Unknown

Cross-Site Scripting Vulnerability in ECTOOLS Onlineshop

The ECTOOLS Onlineshop is vulnerable to cross-site scripting (XSS) attacks. This vulnerability arises from the lack of proper input sanitization in the application. An attacker can exploit this vulnerability by injecting arbitrary script code into the affected site, leading to the execution of malicious scripts in the browsers of unsuspecting users. This can result in the theft of authentication credentials and other potential attacks.

Mitigation:

To mitigate this vulnerability, the ECTOOLS Onlineshop application should implement proper input validation and sanitization techniques to prevent the execution of malicious scripts. Additionally, implementing Content Security Policy (CSP) can provide an added layer of protection against XSS attacks.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/15891/info

ECTOOLS Onlineshop is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input.

An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may facilitate the theft of cookie-based authentication credentials as well as other attacks. 

http://www.example.com/cart.cgi?action=link&product=%22%3E%3Cscri
pt%3Ealert('r0t')%3C/script%3E

http://www.example.com/cart.cgi?action=search&category=%22%3E%3Cs
cript%3Ealert('r0t')%3C/script%3E

http://www.example.com/cart.cgi?action=link&product=33&uid=%22%3E
%3Cscript%3Ealert('r0t')%3C/script%3E