CVE-2015-1175-xss-prestashop

2015-01-25T00:00:00
ID SECURITYVULNS:DOC:31660
Type securityvulns
Reporter Securityvulns
Modified 2015-01-25T00:00:00

Description

CVE-2015-1175-xss-prestashop

Information ——————– Advisory by Octogence. Name: Reflected XSS Vulnerability in prestashop ecommerce software Affected Software : Prestashop Affected Versions: 1.6.0.9 and possibly below Vendor Homepage : https://www.prestashop.com/

Vulnerability Type : Cross-site Scripting Severity : High CVE ID: CVE-2015-1175

Impact —— An attacker can craft a URL with malicious JavaScript code which executes in the browser.

Technical Details —————– Sample URL:

http://localhost/prestashop/prestashop/modules/blocklayered/blocklayered-ajax.php?layered_id_feature_20=20_7&id_category_layered=8&layered_price_slider=16_532f363<img%20src%3da%20onerror%3dalert(1)>9c032&orderby=position&orderway=asctrue&_=1420314938300

Parameter: layered_price_slider

Sample Payload: <img src=a onerror=alert(1)>

For more information on cross-site scripting vulnerabilities read the following article:

https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

Advisory Timeline (mm/dd/yyyy) ——————– 01/07/2015 – Reported 01/12/2015 – Vulnerability Fixed 01/18/2015 – Advisory Released

http://octogence.com/advisories/cve-2015-1175-xss-prestashop/

Regards Sudhanshu

Octogence Tech Solutions Noida, India Mobile | +91-9971658929 Website| www.octogence.com