This issue is actively exploited in several online stores. We have tested and verified the issue in several online stores including: Etsy, Shopify, Alibaba, etc. You can inject arbitrary JavaScript code in edit account form. For example, you can steal password from user or send spam email. This issue is actively exploited in several online stores. We have tested and verified the issue in several online stores including: Etsy, Shopify, Alibaba, etc. You can inject arbitrary JavaScript code in edit account form. For example, you can steal password from user or send spam email. How to get this XSS? 1. In Account Settings, edit form, click on “edit” to change form. 2. Now enter any JavaScript code in the input box and click “Save”. In addition, you can use following Proof of Concept to exploit this XSS. 1. Navigate to “Edit Account” page of your online store. 2. Enter any JavaScript code in the input box and click “Save”.

Affected Store Etsy

Shopify
Alibaba

How to get this XSS?

1. In Account Settings, edit form, click on “edit” to change form. 2. Now enter any JavaScript code in the input box and click “Save”. In addition, you can use following Proof of Concept to exploit this XSS. 1. Navigate to “Edit Account” page of your online store. 2. Enter any JavaScript code in the input box and click “Save”.

Timeline

Published on: 10/11/2022 18:15:00 UTC
Last modified on: 10/11/2022 20:31:00 UTC

References