Neto E-Commerce CMS Cross-Site Scripting Vulnerability Allowing Privilege Escalation

A reflected cross-site scripting vulnerability has been identified in Neto E-Commerce CMS versions 6.313.0 prior to 6.3115. This vulnerability allows remote attackers to inject and execute arbitrary JavaScript by exploiting the kw parameter in the search functionality. The issue arises from improper sanitization of user input, enabling not only cross-site scripting but also cross-site request forgery (CSRF) attacks, account takeover (ATO) on sites with user sessions, and potential phishing or defacement attacks.

Impact

Exploitation of this vulnerability allows for arbitrary JavaScript execution in the context of the victim's browser, creating opportunities for cross-site request forgery (CSRF) attacks, account takeover (ATO) on sites with user sessions, and phishing or UI defacement attacks.

Reproduction

To reproduce this vulnerability, visit a Neto CMS site running a vulnerable version and include a crafted payload in the kw parameter of the search URL. The payload can be a JavaScript expression, such as one that calls the prompt or confirm functions. Once the URL is accessed, the injected script will execute in the browser.