CVE-2014-9004

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in vldPersonals version 2.7 (and possibly earlier) in the member_profile action of index.php. The id parameter is taken directly from the URL and reflected into an HTML tag attribute without proper sanitization or encoding, allowing injection of arbitrary HTML and JavaScript. The vulnerability is triggered when a user visits a crafted URL containing the malicious payload in the id parameter [1].

Exploitation

An attacker can craft a URL such as http://target/index.php?m=member_profile&p=profile&id=9811c">b7ec317c816 and trick a victim into clicking it. No authentication is required; the attacker only needs to convince the victim (even an unauthenticated visitor) to follow the link. The injected script executes in the context of the victim's browser session on the same domain [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, cookie theft, defacement, phishing, or redirection to malicious sites. The impact is limited to the client side and does not directly compromise the server. However, because the script runs in the context of the vulnerable domain, it may access sensitive session data or perform actions on behalf of the victim [1].

Mitigation

The vendor released version 2.7.1 which fixes this issue. Users should upgrade to vldPersonals 2.7.1 or later. There is no known workaround other than upgrading; input validation and output encoding should be applied to the id parameter. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog [1].