AShop Open-Redirection and Cross Site Scripting Vulnerabilities
BID:50616
Info
AShop Open-Redirection and Cross Site Scripting Vulnerabilities
| Bugtraq ID: | 50616 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Nov 09 2011 12:00AM |
| Updated: | Nov 09 2011 12:00AM |
| Credit: | Infoserve Security Team |
| Vulnerable: |
AShop Software AShop 0 |
| Not Vulnerable: |
AShop Software AShop 5.1.4 |
Discussion
AShop Open-Redirection and Cross Site Scripting Vulnerabilities
AShop is prone to multiple open-redirection issues and multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied input.
Attackers can exploit these issues to execute arbitrary script or HTML code, steal cookie-based authentication credentials, and conduct phishing attacks. Other attacks may also be possible.
Versions prior to AShop 5.1.4 are vulnerable.
AShop is prone to multiple open-redirection issues and multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied input.
Attackers can exploit these issues to execute arbitrary script or HTML code, steal cookie-based authentication credentials, and conduct phishing attacks. Other attacks may also be possible.
Versions prior to AShop 5.1.4 are vulnerable.
Exploit / POC
AShop Open-Redirection and Cross Site Scripting Vulnerabilities
An attacker can exploit these issues by enticing an unsuspecting victim into following a malicious URI.
The following example URIs are available:
An attacker can exploit these issues by enticing an unsuspecting victim into following a malicious URI.
The following example URIs are available:
Solution / Fix
AShop Open-Redirection and Cross Site Scripting Vulnerabilities
Solution:
Updates are available. Please see the references for more information.
Solution:
Updates are available. Please see the references for more information.
References
AShop Open-Redirection and Cross Site Scripting Vulnerabilities
References:
References:
- Ashop Homepage (Ashop software)
- Multiple security vulnerabilities in AShop (security)