CVE-2020-22808
Description
Reflected XSS in yii2_fecshop 2.x cart page due to unsanitized 'selectall' parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in yii2_fecshop 2.x cart page due to unsanitized 'selectall' parameter.
Vulnerability
A reflected cross-site scripting (XSS) vulnerability exists in the check cart page of yii2_fecshop 2.x. The selectall GET parameter is echoed directly into inline JavaScript without proper encoding in appfront/theme/base/front/checkout/cart/index.php (line 294) and apphtml5/theme/base/html5/checkout/cart/index.php (line 175). The fix introduced \Yii::$service->helper->htmlEncode() to sanitize the value [1][2].
Exploitation
An attacker can craft a malicious URL containing a selectall parameter with a JavaScript payload, such as ?selectall=%22;alert(1);a=%22 [2]. The victim must visit the crafted URL while authenticated via the application. No additional privileges or special network position are required; the attack is purely reflected and executed in the victim's browser.
Impact
Successful exploitation allows an attacker to inject arbitrary JavaScript into the checkout cart page. This can lead to session hijacking, defacement, or theft of sensitive information (e.g., CSRF tokens) within the context of the victim's session [1][2].
Mitigation
The vulnerability is fixed in commit 8fac645 (2020) by sanitizing the selectall parameter with \Yii::$service->helper->htmlEncode() [1]. Users should update to the latest version of yii2_fecshop that includes this commit. No other workaround is documented in the available references.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- yii2_fecshop/yii2_fecshopdescription
- Range: 2.x
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `selectall` GET parameter is directly interpolated into inline JavaScript without any sanitization or encoding."
Attack vector
An attacker crafts a URL containing a malicious payload in the `selectall` query parameter (e.g., `?selectall=");alert(1);//`). When a victim visits this URL on the checkout cart page, the unsanitized value is embedded directly into a JavaScript string assignment, causing the attacker's script to execute in the victim's browser context. No authentication or special privileges are required beyond luring the victim to the crafted link.
Affected code
The vulnerability resides in the checkout cart view files `appfront/theme/base/front/checkout/cart` and `apphtml5/theme/base/html5/checkout/cart`. The `selectall` GET parameter is directly interpolated into inline JavaScript without sanitization.
What the fix does
The patch applies ` Yii::$service->helper->htmlEncode()` to the `selectall` GET parameter before embedding it into the JavaScript context. This HTML-encodes dangerous characters (e.g., `<`, `>`, `"`, `'`), preventing an attacker from breaking out of the string literal and injecting arbitrary JavaScript. The same fix is applied in both the desktop and mobile (html5) cart templates.
Preconditions
- inputThe victim must visit a crafted URL containing a malicious `selectall` parameter.
- authNo authentication is required; the checkout cart page is publicly accessible.
- networkThe attacker must trick the victim into clicking or navigating to the malicious URL (e.g., via phishing or link injection).
Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/fecshop/yii2_fecshop/commit/8fac6455882333cfe3d81c4121d523813e28e31amitrex_refsource_CONFIRM
- github.com/fecshop/yii2_fecshop/issues/87mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.