VaM Shop is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the advanced_search_result.php script. A remote attacker could exploit this vulnerability using multiple parameters in a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
A laboratory researcher discovered a critical sql injection vulnerability in the VaM Shop v1.69 web application content management system.The sql vulnerability allow remote attackers to inject/execute own sql commands/statements on the affected VaM Shop v1.69 web application dbms. The vulnerability is located in the shopping_cart.php files with the bound vulnerable products_id parameter request. The vulnerability can be exploited by remote attackers without required user inter action. Successful exploitation of the vulnerability results in web applicationdbms and service compromise or stable application manipulation via sql injection.
A laboratory researcher discovered a client side Cross Site Scripting Vulnerability in the VaM Shop v1.69 web application content management system.The vulnerability is located in the advanced_search_result.php file when processing to load script code out of the search results web context. Successful exploitation results in session hijacking, non -persistent account phishing or client side content manipulation.
Proof of Concept:
1. Blind SQL injection in shopping_cart.php in parameter product_id. The SQL Injection vulnerability can be exploited by remote attackers without privileged application user account.For demonstration or reproduce ...
PoC: POST - SQL INJECTION
cart_delete=2071&cart_quantity=1&old_qty=1&products_id=2071'[SQL INJECTION VULNERABILITY] and sleep(37)%3d%27
2. Multiple Cross Site Scripting
The client side cross site scripting vulnerabilities can be exploited by remote attacker with medium or high required
user inter action.
For demonstration or reproduce ...