# Exploit Title: Stored XSS in "Message" Functionality - alegrocartv1.2.9 # Date: 04/2025 # Exploit Author: Andrey Stoykov # Version: 1.2.9 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/
Stored XSS #1: Steps to Reproduce: 1. Login as demonstrator account and visit "Customers" > "Newsletter" 2. In "Message" use the following XSS payload <iframe srcdoc="<img src=x onerror=alert(document.domain)>"></iframe> _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
