CVE-2021-47856

Vulnerability

Overview The Easy Cart Shopping Cart 2021 suffers from a reflected cross-site scripting (XSS) vulnerability in its search module. The keyword parameter fails to properly sanitize user-supplied input, allowing arbitrary HTML and JavaScript to be injected into the application's response [1][2]. This is a classic non-persistent (reflected) XSS flaw.

## Exploitation & Attack Surface An attacker can exploit this vulnerability by crafting a malicious URL containing a crafted keyword parameter. When a victim visits such a URL, the injected script executes in the context of the victim's browser. No authentication is required to trigger the vulnerability, as the search functionality is accessible to unauthenticated users [2]. The attack surface is limited to the search input field, but the reflected nature means it can be delivered via phishing emails or other social engineering techniques.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session cookie theft, enabling session hijacking, or manipulation of page content to deface the site or trick users into revealing sensitive information [2]. The impact is amplified if the victim has administrative privileges, potentially leading to account takeover and further compromise of the application.

## Mitigation & Status The vulnerability was responsibly disclosed to the vendor (NetArt Media) in September 2021, and a patch was reportedly developed [2]. However, the public disclosure in December 2021 does not specify whether the fix was distributed or implemented. Users are advised to contact the vendor for an update or apply input sanitization and output encoding to the keyword parameter as a workaround. As of the CVE publication date, no further details on a permanent fix are available from the vendor website [1].