Medium
resolved
resolved
Cache Poisoning Allows Zero Interaction Store XSS
Bug reported by Sam Ark was disclosed at March 22, 2025, 12:35 pm | Cross-site Scripting (XSS) - Stored
The vulnerability allowed an attacker to perform a cache poisoning attack, which resulted in a zero-interaction stored cross-site scripting (XSS) vulnerability on the Trendyol website. The attack was achieved by modifying the User-Agent header and adding a malicious parameter to the URL, which was then cached by the server and executed when visited by a victim.
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
