AmazCart Laravel Ecommerce System CMS 3.4 Cross Site Scripting

# Exploit Title: AmazCart - Laravel Ecommerce System CMS 3.4 - 'Search' Cross-Site-Scripting — Reflected (AJAX)# Date: 17/01/2023# Exploit Author: Sajibe Kanti# CVE ID:# Vendor Name: CodeThemes# Vendor Homepage: https://spondonit.com/# Software Link: https://codecanyon.net/item/amazcart-laravel-ecommerce-system-cms/34962179# Version: 3.4# Tested on: Live Demo# Demo Link : https://amazy.rishfa.com/# Description #AmazCart - Laravel Ecommerce System CMS 3.4 is vulnerable to Reflectedcross-site scripting because of insufficient user-supplied datasanitization. Anyone can submit a Reflected XSS payload without login inwhen searching for a new product on the search bar. This makes theapplication reflect our payload in the frontend search ber, and it is firedeverything the search history is viewed.# Proof of Concept (PoC) : Exploit #1) Goto: https://amazy.rishfa.com/2) Enter the following payload in 'Search Iteam box' : "><script>alert(1)</script>3) Now You Get a Popout as Alert 14) Reflected XSS payload is fired# Image PoC : Reference Image #1) Payload Fired: https://prnt.sc/QQaiZB3tFMVB