CVE-2025-12267

Vulnerability

The search functionality of ModernShop 20250922, an e-commerce platform, contains a reflected cross-site scripting (XSS) vulnerability in the /search endpoint. The q GET parameter is not properly sanitized, allowing arbitrary HTML and JavaScript to be injected and executed in the browser of a victim who visits a crafted URL. This flaw was reported on the vendor's community support page [1].

Exploitation

An attacker can trick a user into clicking a malicious link that includes a specially crafted q parameter payload, such as bwkni>hu1c6. The script executes in the context of the vulnerable site. No authentication is required, and the attack can be carried out remotely over HTTP/HTTPS [1].

Impact

Successful exploitation allows an attacker to perform actions on behalf of the victim, including stealing session cookies, login credentials, or other sensitive data displayed in the browser. The published proof-of-concept demonstrates alert(1) execution, confirming the vulnerability is exploitable [1].

Mitigation

As of the reported date, no official patch has been announced. The vendor (abhicodebox) has been notified through the platform's comment system. Users should sanitize the q parameter (e.g., HTML encode special characters) or implement a Content Security Policy (CSP) until an update is released [1].