CriticalGears Payment Terminals Non-Persistent Cross-Site Scripting Vulnerability

A non-persistent cross-site scripting vulnerability has been identified in multiple versions of CriticalGears payment terminals, including Authorize.net Payment Terminal through version 2.4.1, PayPal PRO Payment Terminal through version 3.1, and Stripe Payment Terminal through version 2.2.1. This vulnerability allows remote attackers to inject malicious scripts into various input fields within the billing and payment information forms. The injected scripts can manipulate client-side requests, potentially leading to session hijacking or phishing attacks.

Impact

Exploitation of this vulnerability allows for non-persistent cross-site scripting, where injected scripts are executed in the context of the user's browser session. This could be used for session hijacking or to conduct phishing attacks by manipulating the user into disclosing sensitive information.

Reproduction

To reproduce this vulnerability, inject a script payload into the 'Description', 'First Name', 'Last Name', 'Address', 'City', or 'Email' fields of the billing or payment information forms. The injected script will be executed in the user's browser, demonstrating the cross-site scripting vulnerability.

Remediation

The vulnerability can be addressed by implementing proper input validation and sanitization to restrict script injections. Additionally, the 'onkeyup' event handler should be sanitized to prevent script execution in the client's browser.