CVE-2017-17955

Vulnerability

PHP Multivendor Ecommerce (latest version) contains a reflected cross-site scripting (XSS) vulnerability in shopping-cart.php via the cusid parameter [1]. The parameter is not properly sanitized before being reflected in the response, allowing an attacker to inject arbitrary HTML and JavaScript. The vulnerability is present in the demo version at http://www.fxwebsolution.com/demo/arthi/multivendor/ and likely affects all installations of this software [1].

Exploitation

An attacker can exploit this vulnerability by crafting a URL with a malicious payload in the cusid parameter, for example: http://www.fxwebsolution.com/demo/arthi/multivendor/shopping-cart.php?cusid=60%27%22123%3Cimg%20src=x%20onerror=console.log(/xss3/)%3E123%3C%27%22 [1]. No authentication is required, and the attacker only needs to trick a victim into clicking the crafted link or visiting the URL. The payload executes in the victim's browser session [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, cookie theft, defacement, or redirection to malicious sites. Since the XSS is reflected, the impact is limited to the victim's session and does not persist in the application [1].

Mitigation

As of the publication date (2017-12-28), no official fix or patched version has been released by the vendor [1]. The application appears to be unmaintained; users should consider migrating to a supported ecommerce platform. Input validation and output encoding of the cusid parameter is required to prevent the XSS. No workaround is provided in the available references [1].