Headline
CVE-2023-31508: Research/ReflectedXSS_1.7.7.4.md at main · mustgundogdu/Research
A cross-site scripting (XSS) vulnerability in PrestaShop v1.7.7.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the message parameter in /contactform/contactform.php.
PRESTA-SHOP 1.7.7.4 REFLECTED CROSS SITE SCRIPTING
Vulnerable Parameter: message
XSS Payload : %3cimg+src+onerror%3dprompt%288%29%3e
<Vendor> : https://www.prestashop.com/
Vulnerable Code Part
Default File Path
/modules/contactform/contactform.php
Note: Some parameters have been changed by the company using the application.
Description
The PrestaShop web application lead the message value without any sanitization on contact-form .The attacker could be inject xss payload with changes the HTTP ‘post’ request to Http ‘get’ request for exploitation. That Exploitation shown belows.
Http Request-Response
Related news
A cross-site scripting (XSS) vulnerability in PrestaShop v1.7.7.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the message parameter in /contactform/contactform.php.