Cross-site Scripting (XSS) Vulnerability in the villagedefrance/opencart-overclocked library

 

 

CVE-2018-1000640

Overview

villagedefrance/opencart-overclocked library is vulnerable to XSS as it doesn't properly sanitize the $_GET['token'] variable in OpenCart-Overclocked/upload/admin/view/template/extension/openbay.tpl :

var token = "<?php echo $_GET['token']; ?>";

PoC

"; alert(1); //

Remediation

This issue has not yet been fixed

Resources

Ready to be protected?

14 days trial , No credit card upfront , Risk free