Sellacious eCommerce Persistent Cross-Site Scripting Vulnerability

A persistent cross-site scripting vulnerability has been identified in Sellacious eCommerce version 4.6, specifically within the 'Manage Your Addresses' module. This vulnerability allows attackers to inject malicious scripts into multiple address input fields, including full name, company, and address. The injected scripts are executed persistently, hijacking user sessions and manipulating application modules.

Impact

Exploitation of this vulnerability allows for persistent cross-site scripting, where injected scripts are executed each time the affected address information is accessed within the application. This could lead to session hijacking and unauthorized manipulation of application modules.

Reproduction

To reproduce this vulnerability, a low-privilege user account can be created. Once logged in, the 'Manage Your Addresses' module can be accessed. In this module, the address input fields can be filled with malicious scripts, such as iframes, which are then executed when the address information is viewed in the application.