CVE-2017-17986

Vulnerability

The Muslim Matrimonial Script by PHP Scripts Mall contains a reflected cross-site scripting (XSS) vulnerability in the admin/caste_view.php file. The comm_id parameter is not properly sanitized before being reflected in the response, allowing injection of arbitrary HTML and JavaScript. This affects the version available at the time of the report (no specific version number provided in the reference, but the official demo site was tested). [1]

Exploitation

An attacker can exploit this by crafting a URL with a malicious comm_id parameter. For example, the proof-of-concept URL adds %27%22%3E123%3Cimg%20src=x%20onerror=console.log(/xss4/)%3E123%3C%27%22 to the parameter value (which decodes to '"><123123<'"). The attack requires the victim to be logged into the admin panel and to click on the crafted link. No additional privileges are needed beyond the admin session. [1]

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the admin's browser. This can lead to session hijacking, defacement, or theft of sensitive data displayed on the affected admin page. The attacker does not gain direct server access but can perform actions as the admin user within the application's scope. [1]

Mitigation

No official patch has been released by PHP Scripts Mall as of the publication date (30-Dec-2017). Users should apply input validation and output encoding on the comm_id parameter. If possible, restrict access to the admin panel to trusted IPs and encourage administrators to avoid clicking untrusted links. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. [1]