Ghostxbh Uzy-SSM-Mall Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in Ghostxbh Uzy-SSM-Mall version 1.0.0. The issue arises from the file '/product', where the 'product_name' argument can be manipulated to inject malicious scripts. This vulnerability is present because the application does not properly filter or escape user input, leaving it open to script injection that can be executed in the user's browser. The vulnerability affects the entire site and could lead to serious consequences such as session hijacking or data leakage.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject scripts that are executed in the context of the user's browser. This could result in session hijacking, data theft, or other malicious actions performed on behalf of the user.

Reproduction

To reproduce this vulnerability, send a request to the '/mall/product' endpoint with the 'product_name' parameter containing a script tag, such as '<script>alert(1)</script>'. The injected script will be executed in the browser, demonstrating the cross-site scripting vulnerability.