CVE-2017-17953

Vulnerability

PHP Scripts Mall PHP Multivendor Ecommerce (latest version as of December 2017) contains a reflected cross-site scripting (XSS) vulnerability in the category.php page via the chid1 parameter [1]. The parameter value is echoed unsanitized into the page response, allowing injection of arbitrary HTML and JavaScript. Affected version: latest (pre-patch) release at the time of disclosure.

Exploitation

An attacker can craft a malicious URL with a JavaScript payload in the chid1 parameter, such as http://www.fxwebsolution.com/demo/arthi/multivendor/category.php?chid1=40%27%22%3E123%3Cimg%20src=x%20onerror=console.log(/xss/)%3E123%3C%27%22 [1]. If a victim visits this link, the script executes in their browser context. No authentication or special privileges are required; user interaction is limited to clicking the link.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser within the context of the vulnerable application. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The impact is limited by the scope of the affected page and the attacker's ability to trick users into clicking the crafted link.

Mitigation

The vendor has not released a public patch for this vulnerability as of the reference date [1]. The application appears to be unmaintained. Mitigation relies on input sanitization and output encoding for the chid1 parameter. Site administrators should apply web application firewall (WAF) rules or input validation to block known malicious patterns until a vendor fix is provided.