Authored by Sajibe Kanti

AmazCart Laravel Ecommerce System CMS version 3.4 suffers from a cross site scripting vulnerability.

# Exploit Title: AmazCart - Laravel Ecommerce System CMS 3.4 - 'Search' Cross-Site-Scripting — Reflected (AJAX)
# Date: 17/01/2023
# Exploit Author: Sajibe Kanti
# Vendor Name: CodeThemes
# Vendor Homepage:
# Software Link:
# Version: 3.4
# Tested on: Live Demo
# Demo Link :

# Description #

AmazCart - Laravel Ecommerce System CMS 3.4 is vulnerable to Reflected
cross-site scripting because of insufficient user-supplied data
sanitization. Anyone can submit a Reflected XSS payload without login in
when searching for a new product on the search bar. This makes the
application reflect our payload in the frontend search ber, and it is fired
everything the search history is viewed.

# Proof of Concept (PoC) : Exploit #

1) Goto:
2) Enter the following payload in 'Search Iteam box' : "><script>alert(1)</script>
3) Now You Get a Popout as Alert 1
4) Reflected XSS payload is fired

# Image PoC : Reference Image #

1) Payload Fired: