Stored XSS in Opencart filemanager. Administrator can upload image with XSS in filename.
Software:
1. Browser: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0;
2. OS: Parrot Security 4.10.
Steps to reproduce:
1. Login as admin;
2. Go to Catalog -> Products;
3. Edit Product;
4. Click the Image tab;
5.Create a payload. It’s could be a .png file. Filename for example:
Code: Select all
"><svg onload=alert("XSS")>.png
Supporting Material/References:
Video: https://youtu.be/FiifKA7PE8s
If this vulnerability is insignificant and the information can be published, please, let me know about it. Thanks!