CVE-2017-17958

Vulnerability

PHP Multivendor Ecommerce, the latest version as of the report, contains a reflected cross-site scripting (XSS) vulnerability in the my_wishlist.php script. The fid GET parameter is not properly sanitized before being reflected back in the response, allowing an attacker to inject arbitrary HTML and JavaScript. The vulnerable endpoint is: http://www.fxwebsolution.com/demo/arthi/multivendor/my_wishlist.php?fid=... [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL containing a payload in the fid parameter. The proof-of-concept URL: http://www.fxwebsolution.com/demo/arthi/multivendor/my_wishlist.php?fid=60%27%22123%3Cimg%20src=x%20onerror=console.log(/xss4/)%3E123%3C%27%22 triggers JavaScript execution in the victim's browser. No authentication is required; the attacker only needs to trick the victim into clicking the crafted link [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The impact is limited to the user's browser session, but sensitive data such as cookies can be exfiltrated [1].

Mitigation

As of the report date, no official fix or patched version has been released by the vendor. Administrators should sanitize all user-supplied input, specifically the fid parameter in my_wishlist.php, using proper output encoding or input validation. Until a patch is provided, implement web application firewall (WAF) rules to block malicious payloads or disable unnecessary parameters if possible [1].