CVE-2022-45769

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in ClicShopping_V3 version 3.402. The name of an arbitrarily supplied URL parameter is copied directly into the value of an HTML tag attribute that is encapsulated in double quotation marks, without proper sanitization or encoding. This allows an attacker to inject arbitrary JavaScript or HTML by crafting a malicious parameter name. The vulnerable code path is reachable via the index.php page with parameters such as Search and AdvancedSearch [1].

Exploitation

An attacker can exploit this vulnerability by crafting a URL containing a malicious parameter name that breaks out of the attribute context. For example, the payload bel9c%22onmouseover%3d%22alert(1) uses a double quote to close the attribute and inject an onmouseover event handler. The attacker must trick a victim into clicking or visiting the crafted link; no authentication or special privileges are required. The proof-of-concept demonstrates a GET request to /ClicShopping_V3-version3_402/index.php?Search&AdvancedSearch& [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, cookie theft, defacement, or redirection to malicious sites. The attacker can also potentially destroy some components of the system, as noted in the advisory [1]. The impact is limited to the client side, but can be severe if the victim has administrative privileges within the application.

Mitigation

As of the publication date (2022-12-05), no official patch or fixed version has been released by the vendor. The reference indicates a vendor conversation was initiated, but no resolution is documented [1]. Users are advised to apply input validation and output encoding for all URL parameters, or to use a web application firewall (WAF) to block malicious parameter names. If the application is no longer maintained, consider migrating to a supported alternative.