CVE-2017-17988

Vulnerability

PHP Scripts Mall Muslim Matrimonial Script is affected by a stored Cross-Site Scripting (XSS) vulnerability in the admin/event_add.php page. The event_title POST parameter is not properly sanitized, allowing an attacker to inject arbitrary HTML/JavaScript. This vulnerability exists in the latest version of the script as reported in reference [1].

Exploitation

An attacker must have administrative access to the application to reach the event_add.php page. The attacker submits a POST request with a crafted event_title parameter, such as test'\"><svg/onload=alert(/xss/)><'". The payload is stored in the database and executed when the event details are rendered in the admin panel [1].

Impact

Successful exploitation leads to execution of arbitrary JavaScript in the context of an administrator's browser session. This could result in theft of session cookies, defacement, or further administrative actions being taken without the victim's knowledge, potentially leading to full compromise of the application's admin functionality [1].

Mitigation

No official fix or updated version has been disclosed in the available references. As a workaround, administrators should sanitize and validate all input in event_title and other user-facing parameters. Since the script is no longer maintained by PHP Scripts Mall, users should consider migrating to a supported matrimonial script [1].