Magento HTML Injection, XFS & XSS Vulnerability

I discovered and found HTML Injection, Clickjacking or UI redressing and Non persistent (Reflected) Cross Site Scripting (XSS) vulnerability at Magento.

HTML injection is a type of injection issue that occurs when a user is able to control an input point and is able to inject arbitrary HTML code into a vulnerable web page.


Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users.

Vulnerable Domain:

Vulnerable URL: 

POC Screenshots:

HTML Injection:

 CFS(Cross Frame Scripting):


Cross Site Scripting

I report this to magento through bugcrowd. Magento fix this vulnerability and 'Thanks' me and enter my name in Magento Hall Of Fame Bugcrowd.nicked(Cyber Tiger).
Waiting For B




Popular posts from this blog

XSS like a Pro

Email Spoofing for Beginners

DoS on WAF Protected Sites by Abusing Cookie