A reflected XSS (Cross-Site Scripting) vulnerability has been discovered in DBShop商城系统 V 3.3 Release 231225. The vulnerability allows for the execution of arbitrary HTML/javascript code, potentially resulting in the theft of sensitive user information.
Details
The vulnerability is located in My Orders in the User Center. $orderStatus is echoed directly on the page without filtering.
Hebing123
commented
6 months ago
Summary
A reflected XSS (Cross-Site Scripting) vulnerability has been discovered in DBShop商城系统 V 3.3 Release 231225. The vulnerability allows for the execution of arbitrary HTML/javascript code, potentially resulting in the theft of sensitive user information.
Details
The vulnerability is located in My Orders in the User Center. $orderStatus is echoed directly on the page without filtering.
Proof of Concept (POC)
http(s)://your-ip/home-order?orderStatus=%22%3E%3Csvg%20onload=alert(5888)%3E