CVE-2017-17984

Vulnerability

PHP Scripts Mall Muslim Matrimonial Script (latest version) contains a reflected cross-site scripting (XSS) vulnerability in the admin/event_edit.php script. The edit_id parameter is not properly sanitized before being reflected in the response, allowing an attacker to inject arbitrary HTML or JavaScript. The vulnerable URL pattern is admin/event_edit.php?edit_id=[payload] [1].

Exploitation

An attacker can exploit this by crafting a malicious URL with a payload in the edit_id parameter. For example: http://74.124.215.220/~projclient/client/muslim-matrimony/admin/event_edit.php?edit_id=17%27%22%3E123%3Cimg%20src=x%20onerror=console.log(/xss/)%3E123%3C%27%22. The attacker then lures a logged-in admin user to click the link. No authentication from the attacker is required, but the admin user must be authenticated and visit the crafted URL [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the admin user's browser. This can lead to session hijacking, unauthorized actions on behalf of the admin, or theft of sensitive data displayed in the admin interface. The overall scope is limited to the victim's browser session [1].

Mitigation

No official fix from PHP Scripts Mall has been publicly documented. The vendor has not released a patched version as of the publication date (2017-12-30). To mitigate, administrators should avoid clicking untrusted links and implement input sanitization for the edit_id parameter. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog [1].