SPA-CART CMS Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in SPA-CART CMS version 1.9.0.3. This issue resides in the product description parameter, allowing authenticated administrators to inject malicious scripts. By submitting JavaScript payloads through the 'descr' parameter in the product edit form, attackers can execute arbitrary code in the browsers of administrative users.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the product, potentially leading to session hijacking or other malicious actions.

Reproduction

To reproduce this vulnerability, an authenticated administrator can navigate to the product edit form for any product. Once there, injecting a script payload into the 'descr' parameter will trigger the cross-site scripting vulnerability when the product description is viewed.