CVE-2021-47911

Vulnerability

Overview Affiliate Pro 1.7 is vulnerable to multiple reflected cross-site scripting (XSS) flaws in its index module. The application fails to properly sanitize user input passed through the fullname, username, and email parameters, allowing an attacker to inject arbitrary HTML and JavaScript code [1][2].

Exploitation

Conditions An attacker can exploit this vulnerability by crafting a malicious URL containing XSS payloads in the vulnerable parameters and tricking a victim into clicking the link. No authentication is required to trigger the vulnerability, though the victim must be logged into the application for the injected script to execute in context [1].

Impact

Successful exploitation allows the attacker to execute malicious scripts in the victim's browser, leading to session hijacking, defacement of the application interface, theft of sensitive data, or redirection to attacker-controlled sites. The CVSS v3 base score is 5.4 (Medium) [2].

Mitigation

The vendor has not released a specific patch as of the advisory date. Users are advised to implement strict input validation and output encoding for the affected parameters, or upgrade to a newer version if available. Vulnerability-Lab recommends sanitization of the input fields to mitigate the risk [1].