Winston-Dsouza Ecommerce Website Cross-Site Scripting Vulnerability in GET Parameter Handler
Vulnerability
A reflected cross-site scripting vulnerability has been identified in the Winston-Dsouza Ecommerce Website, specifically in versions up to 87734c043269baac0b4cfe9664784462138b1b2e. The issue arises in the file '/includes/header_menu.php', within the GET Parameter Handler component. The vulnerability allows remote attackers to inject arbitrary JavaScript by manipulating the 'error' GET parameter, which is output without proper encoding. This flaw could be exploited to execute scripts in the context of the user's browser.
Impact
Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can execute JavaScript in the context of the victim's browser.
Reproduction
To reproduce this vulnerability, send a request to '/includes/header_menu.php' with the 'error' GET parameter containing a script tag, such as '<script>alert("xss")</script>'. The injected script will be executed in the browser, demonstrating the cross-site scripting vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.