Vulnerability Details CVE-2021-27190
A Stored Cross Site Scripting(XSS) Vulnerability was discovered in PEEL SHOPPING 9.3.0 and 9.4.0, which are publicly available. The user supplied input containing polyglot payload is echoed back in javascript code in HTML response. This allows an attacker to input malicious JavaScript which can steal cookie, redirect them to other malicious website, etc.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.031
EPSS Ranking 86.1%
CVSS Severity
CVSS v3 Score 5.4
CVSS v2 Score 3.5
References
- https://github.com/advisto/peel-shopping/issues/4#issuecomment-953461611
- https://github.com/anmolksachan/CVE-2021-27190-PEEL-Shopping-cart-9.3.0-Stored-XSS
- https://github.com/vulf/Peel-Shopping-cart-9.4.0-Stored-XSS
- https://www.peel-shopping.com/modules/telechargement/telecharger.php?id=7
- https://www.secuneus.com/cve-2021-27190-peel-shopping-ecommerce-shopping-cart-stored-cross-site-scripting-vulnerability-in-address/
- https://github.com/advisto/peel-shopping/issues/4#issuecomment-953461611
- https://github.com/anmolksachan/CVE-2021-27190-PEEL-Shopping-cart-9.3.0-Stored-XSS
- https://github.com/vulf/Peel-Shopping-cart-9.4.0-Stored-XSS
- https://www.peel-shopping.com/modules/telechargement/telecharger.php?id=7
- https://www.secuneus.com/cve-2021-27190-peel-shopping-ecommerce-shopping-cart-stored-cross-site-scripting-vulnerability-in-address/
Products affected by CVE-2021-27190
-
cpe:2.3:a:peel:peel_shopping:9.3.0
-
cpe:2.3:a:peel:peel_shopping:9.4.0