ZenCart 1.3.8a Multiple XSS in Admin Interface
ZenCart 1.3.8a has a persistent XSS in 'Admin Home' in 'Last Name' parameter. Another Cross Site Scripting vulnerability exists in 'nogrants' parameter in sqlpatch.php.
CVSS Score
Severity
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Advisory
| Application | ZenCart |
| Version | 1.3.8a |
| Impact | Persistent and reflected XSS in the admin interface |
| Websec Advisory | WS10-05 |
Background
ZenCart is a free, open-source e-commerce shopping cart.
Description
Persistent XSS in Admin Home. The Last Name field on the user registration form is stored without sanitization and rendered into the Admin Home page, so any script in that field runs in the administrator's browser on every visit to the dashboard.
Reflected XSS in sqlpatch.php. The nogrants query parameter on /admin/sqlpatch.php is reflected into the response without encoding.
Exploit / Proof of Concept
Persistent XSS via registration:
URL: /zencart/index.php?main_page=login
Last Name: "onmouseover=alert(0)>XSS<!Reflected XSS in the admin patch tool:
/zencart/admin/sqlpatch.php?nogrants="style="display:block;width:100%25;height:100%25;border:2px%20solid%20red;"%20onmouseover="alert(1);Workaround
Avoid browsing untrusted sites while logged into the ZenCart administrator interface until an upstream patch is installed.
Remediation
Upgrade ZenCart to a release that sanitizes the admin-home Last Name and sqlpatch.php nogrants parameters.