CVE-2017-17925

Vulnerability

PHP Scripts Mall Professional Service Script (latest version as of 2017) contains a stored cross-site scripting (XSS) vulnerability in the admin/general_settingupd.php file. The website_title POST parameter is not properly sanitized before being stored and later displayed, allowing an attacker to inject arbitrary HTML or JavaScript. This issue is identified in the reference [1].

Exploitation

An attacker can exploit this vulnerability by submitting a crafted payload in the website_title parameter via a POST request to admin/general_settingupd.php. The request can be made directly if the attacker has admin panel access, or via a cross-site request forgery (CSRF) attack to trick an authenticated administrator into unintentionally submitting the malicious payload [1]. No authentication bypass is required if CSRF is used.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the administrator's browser. This can lead to session hijacking, cookie theft, or further attacks against the admin panel. The stored XSS persists until manually removed, affecting any admin who views the settings page.

Mitigation

No official patch has been released by PHP Scripts Mall as of the publication date (December 27, 2017). The vendor has not provided a fixed version. Mitigation requires input validation and output encoding for the website_title parameter. Administrators should restrict access to the admin panel and avoid clicking on untrusted links.