Sui Shang Information Technology Suishang Enterprise-Level B2B2C Multi-User Mall System Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in Sui Shang Information Technology's Suishang Enterprise-Level B2B2C Multi-User Mall System version 1.0. The issue resides in the /Point/index/activity_state/1/category_id/1001 endpoint, where insufficient input sanitization of the category_id parameter in GET requests allows for the injection of arbitrary JavaScript payloads. These payloads are reflected in the server's response and executed in the context of the user's browser. This vulnerability can be exploited remotely without any authentication, although it requires user interaction.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where injected scripts are executed in the context of the victim's browser.

Reproduction

To reproduce this vulnerability, send a GET request to the /Point/index/activity_state/1/category_id/1001 endpoint with a crafted category_id parameter that includes JavaScript payloads, such as a script tag containing JavaScript code, such as an alert().

Remediation

It is recommended to implement input validation and sanitization for the category_id parameter to remove any HTML or JavaScript syntax before processing. Additionally, output encoding should be applied to user-controlled data before it is rendered in HTML, and a Content Security Policy should be established to restrict script execution.