Emag Marketplace (XSS) CVE-2017-17043

A new Cross-site scripting is presented to me in the plugin “Emag Marketplace Connector” version 1.0.1 of the company Zitec (https://zitec.com/).

The vulnerable parameter is found in line 1 of the file “awb-meta-box. php” in the folder “/plugins/emag-marketplace-connector/tempates/order/”.

<input type="hidden" name="emkp_awb[order_id]" value="<?php echo $_GET['post']; ?>"/>

Using this vulnerability we inject our malicious code to check if our code is actually executed.

This screenshot shows the code inside the HTML body.





Leave a Reply

Your email address will not be published. Required fields are marked *