edu Business Solutions Print Shop Pro WebDesk Stored Cross-Site Scripting Vulnerability

A stored Cross-Site Scripting (XSS) vulnerability has been identified in edu Business Solutions Print Shop Pro WebDesk version 18.34. The issue arises in the TemplatePreview.aspx endpoint, where user-supplied input is stored and later rendered on HTML pages without adequate output encoding or sanitization. This flaw allows attackers to inject arbitrary JavaScript that executes in the context of other users' sessions.

Impact

Exploitation of this vulnerability allows for the injection of malicious JavaScript, which can execute in the context of other users' sessions. This could lead to unauthorized access to user session data, retrieval of malware, and theft of sensitive information.

Reproduction

To reproduce this vulnerability, authenticate into Print Shop Pro WebDesk version 18.34 and create a new order. Inject XSS payloads, such as script tags containing JavaScript, into the 'ctl00_Content01_fieldValue' parameters. Once the order is submitted, the injected scripts will be executed when the order is viewed, demonstrating the stored XSS vulnerability.