Cross-site Scripting (XSS) - Generic in s-cart/core

Valid

Reported on

Nov 23rd 2020

Description

s-cart is a free e-commerce website project for businesses, built on the Laravel framework. this package is vulnerable to Stored Cross-Site Scripting (XSS).

https://github.com/s-cart/s-cart https://s-cart.org/about.html

Steps To Reproduce-:

install https://github.com/s-cart/s-cart locally or https://demo.s-cart.org/ for demo
when adding products to cart add crafted jscode

POC

gdrive payload used = "><script>alert("test")</script>

References

https://drive.google.com/file/d/1E7AE7EFPTiiEEj8jAKvVAumWKu4PRs0L/view?usp=sharing

to join this conversation