## Title: Cosmetics and Beauty Product Online Store v1.0 remote
Multiple XSS-Reflected
## Author: nu11secur1ty
## Date: 02.18.2022
## Vendor: https://www.sourcecodester.com/users/tips23
## Software: https://www.sourcecodester.com/php/15181/cosmetics-and-beauty-product-online-store-phpoop-free-source-code.html
## CVE-Cosmetics and Beauty Product Online Store v1.0
## Description:
The `search` parameter from /cbpos/ app on Cosmetics and Beauty
Product Online Store v1.0 appears to be vulnerable to multiple
XSS-Reflected attacks.
The attacker can take very sensitive information from the system and
even he can prepare a very dangerous RCE by using this XSS
vulnerability.
Status: CRITICAL
[+] Payloads:
```URL
Please visit our beauty store!
![](https://cdn5-capriofiles.netdna-ssl.com/wp-content/uploads/2017/07/IMG_0068.gif")
```
- RCE example:
```URL
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/edit/main/vendors/oretnom23/2022/Cosmetics-and-Beauty-Product-Online-Store)
## Proof and Exploit:
[href](https://streamable.com/sbzew8)
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html and https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/edit/main/vendors/oretnom23/2022/Cosmetics-and-Beauty-Product-Online-Store)
## Proof and Exploit:
[href](https://streamable.com/sbzew8)
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html and https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty