Easy Cart Shopping Cart Cross-Site Scripting Vulnerability in Search Module
Vulnerability
A non-persistent cross-site scripting vulnerability has been identified in Easy Cart Shopping Cart 2021, specifically within the search module's keyword parameter. This vulnerability allows remote attackers to inject malicious script code through the search input, potentially compromising user sessions and manipulating application content. The issue arises from the application's handling of post method requests, where injected scripts can be executed on the results page after submission.
Impact
Exploitation of this vulnerability allows for session hijacking, non-persistent phishing attacks, external redirects to malicious sources, and manipulation of affected application modules.
Reproduction
The vulnerability can be reproduced by sending a post request to the 'index.php' of the Easy Cart application with the 'keyword_search' parameter. The injected script, such as an iframe pointing to an external source, will be executed when the search results page is loaded.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.