CVE-2011-4544
Prestashop < 1.5 - Cross-Site Scripting via Multiple Parameters
Title source: llmExploitation Summary
EIP tracks 4 public exploits for CVE-2011-4544. PoCs published by Prestashop.
AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in PrestaShop's Mondial Relay module by injecting a malicious script via the 'num_mode' POST parameter. The vulnerability arises due to insufficient input sanitization, allowing arbitrary JavaScript execution in the context of the affected site.
Description
Multiple cross-site scripting (XSS) vulnerabilities in Prestashop before 1.5 allow remote attackers to inject arbitrary web script or HTML via the (1) address or (2) relativ_base_dir parameter to modules/mondialrelay/googlemap.php; the (3) relativ_base_dir, (4) Pays, (5) Ville, (6) CP, (7) Poids, (8) Action, or (9) num parameter to prestashop/modules/mondialrelay/googlemap.php; (10) the num_mode parameter to modules/mondialrelay/kit_mondialrelay/RechercheDetailPointRelais_ajax.php; (11) the Expedition parameter to modules/mondialrelay/kit_mondialrelay/SuiviExpedition_ajax.php; or the (12) folder or (13) name parameter to admin/ajaxfilemanager/ajax_save_text.php.
Exploits (4)
This exploit demonstrates a stored XSS vulnerability in PrestaShop's Mondial Relay module by injecting a malicious script via the 'num_mode' POST parameter. The vulnerability arises due to insufficient input sanitization, allowing arbitrary JavaScript execution in the context of the affected site.
This exploit demonstrates a cross-site scripting (XSS) vulnerability in PrestaShop's Mondial Relay module. The vulnerability allows arbitrary script execution via unsanitized input in the 'Expedition' POST parameter.
This exploit demonstrates multiple XSS vulnerabilities in PrestaShop's mondialrelay module by injecting malicious JavaScript via unsanitized input parameters. The PoC provides direct URLs to trigger the vulnerabilities.
This exploit demonstrates a stored XSS vulnerability in PrestaShop's ajax_save_text.php by injecting malicious scripts via the 'folder' and 'name' parameters. The vulnerability arises due to insufficient input sanitization, allowing arbitrary JavaScript execution in the context of the affected site.