Headline
CVE-2021-43440: CVE-2021–43440 - Nithissh - Medium
Multiple Stored XSS Vulnerabilities in the Source Code of iOrder 1.0 allow remote attackers to execute arbitrary code via signup form in the Name and Phone number field.
Multiple XSS Vulnerabilities exists in the iOrder
Discovered by Nithissh S
Vulnerable Version: 1.0
Vendor Homepage:
Bug Description:
Multiple Stored XSS Vulnerability in the Source Code of iOrder 1.0 allows remote attacker to execute arbitrary code via signup form in the Name and Phone number field.
Steps to Produce:
- First of all we will have a look into the Source code
add customer source code
2. So , as you can see the input fields weren’t properly sanitized
3. So lets register for customer account and replace input field such that Name and Phone number with XSS payload as a example below
Signup form
4. After the Successful registration , XSS will triggered before and after the authentication