CVE-2017-17985

Vulnerability

Reflected cross-site scripting (XSS) vulnerability exists in PHP Scripts Mall Muslim Matrimonial Script (latest version as of 2017) through the cou_id parameter in admin/state_view.php. The application fails to sanitize user input before reflecting it back in the page, allowing an attacker to inject arbitrary HTML and JavaScript [1].

Exploitation

An attacker can craft a malicious URL containing a payload in the cou_id parameter, such as: '"123<'". If an authenticated admin visits this link, the injected script executes in the context of the admin's session. No additional authentication is required for the attacker beyond directing the admin to the link [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser, potentially leading to session token theft, data exfiltration, or actions performed on behalf of the admin. The scope is limited to the admin's privileges [1].

Mitigation

No official fix or updated version has been released by the vendor as of the publication date. Users should consider disabling the affected functionality or implementing input validation and output encoding for the cou_id parameter. The vendor, PHP Scripts Mall, may have addressed this in later versions; however, the CVE record does not specify a patched release [1].