CVE-2021-47885

Vulnerability

Overview CVE-2021-47885 describes a non-persistent (reflected) cross-site scripting vulnerability in multiple payment terminal versions, including PayPal PRO Payment Terminal <=3.1, Stripe Payment Terminal <=2.2.1, and others [2]. The vulnerability exists in billing and payment information input fields, such as amount, first name, last name, address, city, and zip code. These fields lack proper input sanitization, allowing attackers to inject arbitrary HTML and JavaScript [1].

Exploitation

An attacker can craft a malicious URL or form submission that includes XSS payloads in the vulnerable parameters. When a victim interacts with the payment terminal interface, the injected script executes in the context of the victim's browser. The attack does not require authentication but relies on user interaction, such as clicking a link or submitting a crafted form [1]. The proof-of-concept demonstrates injection via fields like fname and amount, with the payload being reflected in the page response.

Impact

Successful exploitation allows an attacker to execute arbitrary client-side scripts, potentially leading to session hijacking, credential theft, or phishing attacks. The attacker can manipulate client-side requests or redirect users to malicious sites. The vulnerability has a CVSS v3 score of 6.4 (Medium) and a CVSS v4 vector with privileges required (PR:L) and user interaction (UI:P) [2].

Mitigation

The vendor provides a fix by implementing secure input handling, including proper escaping and validation of user-supplied data. The onkeyup event handler should be sanitized to prevent script execution [1]. Organizations using affected versions should apply updates or restrict access to the payment terminal interface until a patch is applied.