CVE-2017-17954

Vulnerability

PHP Scripts Mall PHP Multivendor Ecommerce (latest version as of the report) contains a reflected cross-site scripting (XSS) vulnerability in the seller-view.php script. The usid parameter is not properly sanitized before being reflected in the response, allowing an attacker to inject arbitrary HTML and JavaScript. The official demo site at www.fxwebsolution.com was used to confirm the issue [1].

Exploitation

An attacker can craft a malicious URL containing a JavaScript payload in the usid parameter, such as http://www.fxwebsolution.com/demo/arthi/multivendor/seller-view.php?usid=60%27%22123%3Cimg%20src=x%20onerror=console.log(/xss2/)%3E123%3C%27%22. No authentication or special privileges are required; the victim only needs to visit the crafted link. The payload executes in the context of the victim's browser session [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, defacement of the page, or theft of sensitive information such as cookies or form data. The attack is reflected, so the impact is limited to the victim's current session and does not persist on the server [1].

Mitigation

No official patch or fixed version has been disclosed in the available references. The vendor (PHP Scripts Mall) has not released a security update addressing this specific XSS. As a workaround, developers should sanitize and validate all user-supplied input, especially the usid parameter, by escaping HTML special characters or using a whitelist of allowed values. Until a patch is available, users should avoid clicking untrusted links to the application [1].