summery:
You are able to copy and paste stored XSS code into the comment section of a product in the transfers tab and receive the error.
Reproduce:
- Create a product with the name ‘"’><img src>’
- add a transfer with that product
- now go back to the product use the code button and type the same code for the title . ‘"’><img src>’
- you will get a XSS pop-up however ignore it. as soon as you get here you need to get out of the code setting and into the normal text and copy the the little piece of code with the image.
- delete the code that we put in the html for the XSS.
- go back to transfers and paste the code that we copied there
- error
Impact
steal cookie