CVE-2017-17956

Vulnerability

PHP Scripts Mall PHP Multivendor Ecommerce (latest version as of the report) contains a stored cross-site scripting (XSS) vulnerability in the admin/sellerupd.php endpoint. The companyname POST parameter is not properly sanitized, allowing an attacker to inject arbitrary HTML and JavaScript. The vulnerable code path is reachable when an authenticated admin user updates a seller's company name via the admin panel. Affected versions include all versions up to and including the latest release at the time of disclosure [1].

Exploitation

An attacker must have administrative access to the application (i.e., be logged in as an admin user). The attack is performed by sending a POST request to admin/sellerupd.php with crafted payload in the companyname parameter. For example, the payload abc pvt ltd'><svg/onload=alert(document.cookie)><'" demonstrates a proof of concept. The injected script is stored in the database and subsequently rendered without sanitization when the seller's profile is viewed, executing the script in the context of any user visiting that page [1].

Impact

Successful exploitation leads to stored cross-site scripting. An attacker can execute arbitrary JavaScript in the browser of any user who views the affected seller's profile. This can result in session hijacking, defacement, or redirection to malicious sites. The scope is limited to the browser of the victim user, but because the XSS is stored, multiple users can be impacted without additional attacker interaction [1].

Mitigation

No official patch or fixed version has been released by PHP Scripts Mall for this vulnerability as of the public report date. The vendor has not acknowledged or addressed the issue in the available references. Administrators are advised to implement strict input validation and output encoding for all user-supplied data, especially in the companyname field. Alternatively, consider migrating to a different, actively maintained e-commerce solution [1].