Headline
Clcknshop 1.0.0 Cross Site Scripting
Clcknshop version 1.0.0 suffers from a cross site scripting vulnerability.
# Exploit Title: Clcknshop 1.0.0 - Reflected XSS# Exploit Author: CraCkEr# Date: 16/08/2023# Vendor: Infosoftbd Solutions# Vendor Homepage: https://infosoftbd.com/# Software Link: https://infosoftbd.com/multitenancy-e-commerce-solution/# Demo: https://kidszone.clckn.shop/# Tested on: Windows 10 Pro# Impact: Manipulate the content of the site# CVE: CVE-2023-4707# CWE: CWE-79 - CWE-74 - CWE-707## GreetingsThe_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushkaCryptoJob (Twitter) twitter.com/0x0CryptoJob## DescriptionThe attacker can send to victim a link containing a malicious URL in an email or instant messagecan perform a wide variety of actions, such as stealing the victim's session token or login credentialsPath: /collection/allGET parameter 'q' is vulnerable to XSShttps://website/collection/all?q=[XSS]XSS Payloads:jkhrt<script>alert(1)</script>ccnsi[-] DoneRelated news
CVE-2023-4707
A vulnerability was found in Infosoftbd Clcknshop 1.0.0. It has been declared as problematic. This vulnerability affects unknown code of the file /collection/all. The manipulation of the argument q leads to cross site scripting. The attack can be initiated remotely. VDB-238570 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.