ActiveITzone Active Super Shop CMS Manage Details Page cross site scripting
Description
A vulnerability, which was classified as problematic, has been found in ActiveITzone Active Super Shop CMS 2.5. This issue affects some unknown processing of the component Manage Details Page. The manipulation of the argument name/phone/address leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-235055.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Active Super Shop CMS 2.5 has a stored XSS vulnerability via the Manage Details Page that allows remote attackers to inject arbitrary scripts.
Vulnerability
A problematic vulnerability, classified as cross-site scripting (XSS), exists in ActiveITzone Active Super Shop CMS version 2.5. The flaw affects the Manage Details Page, where the name, phone, and address parameters are not properly sanitized before being stored and later presented to users [1]. This allows an attacker to inject malicious HTML or JavaScript code that will execute in the context of other users' browsers when the stored data is rendered.
Exploitation
An attacker with network access to the application can initiate the attack remotely without requiring authentication [1]. By crafting a POST request to the /shop/admin/manage_admin/update_profile/ endpoint, the attacker includes malicious payloads (e.g., `) within the name, phone, or address` fields. The PoC demonstrated in advisory [1] shows a successful attack by submitting the payload through a standard HTTP POST. The attack does not require any user interaction beyond the victim later viewing the affected admin profile page, where the stored script will execute automatically.
Impact
Successful exploitation results in arbitrary script execution within the context of the vulnerable application [1]. An attacker can use this to steal session cookies, redirect users to malicious sites, deface pages, or perform actions on behalf of an authenticated admin user. The security risk is estimated as medium by the discoverer [1], but the attacker's capabilities depend on the privileges of the user viewing the injected content.
Mitigation
As of the publication date (2023-07-20), no official patch from ActiveITzone has been announced [1]. The vendor's advisory recommends manually disallowing HTML code insertion for input fields and properly sanitizing the content to secure delivery [1]. A temporary workaround is to implement input validation and output encoding for the name, phone, and address parameters until a vendor-supplied fix becomes available.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: = 2.5
- ActiveITzone/Active Super Shop CMSv5Range: 2.5
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in the name, phone, and address fields allows stored HTML injection."
Attack vector
An attacker with access to the admin panel can send a crafted POST request to `/shop/admin/manage_admin/update_profile/` with malicious HTML or JavaScript payloads in the `name`, `phone`, or `address` parameters [ref_id=1]. The attack is initiated remotely via a standard HTTP POST with `Content-Type: multipart/form-data` and requires an active admin session (authenticated user) [ref_id=1]. The injected script executes in the context of the admin interface when the profile page is rendered, leading to stored cross-site scripting [ref_id=1].
Affected code
The vulnerability exists in the "Manage Details Page" component of Active Super Shop CMS 2.5, specifically in the `/shop/admin/manage_admin/update_profile/` endpoint [ref_id=1]. The `name`, `phone`, and `address` input fields on the admin profile update form are not sanitized, allowing HTML injection [ref_id=1].
What the fix does
No official patch has been published by the vendor. The advisory recommends sanitizing the `name`, `address`, and `phone` input fields to disallow insertion of HTML code, and to securely encode output before rendering [ref_id=1]. Without a patch, administrators should implement input validation and output escaping on the affected form fields to prevent stored XSS.
Preconditions
- authAttacker must have access to the admin panel (authenticated session)
- inputThe admin must visit or render the profile update page after the payload is stored
Reproduction
1. Log in to the admin panel at `/shop/admin/`. 2. Navigate to `Manage Admin` and then to the profile update page at `/shop/admin/manage_admin/update_profile/`. 3. In the `name`, `phone`, or `address` field, insert a payload such as `">
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- seclists.org/fulldisclosure/2023/Jul/34mitreexploitmailing-list
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
- www.vulnerability-lab.com/get_content.phpmitrerelated
News mentions
0No linked articles in our index yet.