Magento HTML Injection, XFS & XSS Vulnerability




I discovered and found HTML Injection, Clickjacking or UI redressing and Non persistent (Reflected) Cross Site Scripting (XSS) vulnerability at Magento.




HTML injection is a type of injection issue that occurs when a user is able to control an input point and is able to inject arbitrary HTML code into a vulnerable web page.



 

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users.


Vulnerable Domain: https://marketplace.magento.com

Vulnerable URL:
https://marketplace.magento.com/catalogsearch/result/?cat=8&q=%22%3E%3Cscript%3Ealert%28%22Hi%22%29%3B%3C%2Fscript%3E 

POC Screenshots:

HTML Injection:
  

 CFS(Cross Frame Scripting):

 

Cross Site Scripting




I report this to magento through bugcrowd. Magento fix this vulnerability and 'Thanks' me and enter my name in Magento Hall Of Fame Bugcrowd.nicked(Cyber Tiger).
Report
Fixed
Waiting For B

 
 


 

Comments

Popular posts from this blog

XSS in Zoho Mail

A Tricky Open Redirect

DoS on WAF Protected Sites by Abusing Cookie