Magento HTML Injection, XFS & XSS Vulnerability

I discovered and found HTML Injection, Clickjacking or UI redressing and Non persistent (Reflected) Cross Site Scripting (XSS) vulnerability at Magento.
HTML injection is a type of injection issue that occurs when a user is able to control an input point and is able to inject arbitrary HTML code into a vulnerable web page.
Vulnerable Domain: https://marketplace.magento.com
Vulnerable URL:
https://marketplace.magento.com/catalogsearch/result/?cat=8&q=%22%3E%3Cscript%3Ealert%28%22Hi%22%29%3B%3C%2Fscript%3E
POC Screenshots:
HTML Injection:
CFS(Cross Frame Scripting):
Cross Site Scripting
I report this to magento through bugcrowd. Magento fix this vulnerability and 'Thanks' me and enter my name in Magento Hall Of Fame Bugcrowd.nicked(Cyber Tiger).
Report
Fixed
Waiting For B
POC Screenshots:
HTML Injection:

CFS(Cross Frame Scripting):

Cross Site Scripting

I report this to magento through bugcrowd. Magento fix this vulnerability and 'Thanks' me and enter my name in Magento Hall Of Fame Bugcrowd.nicked(Cyber Tiger).
Report
Fixed
Waiting For B
Comments
Post a Comment