Tmall Demo Search Box Cross-Site Scripting Vulnerability

A reflective cross-site scripting vulnerability has been identified in Tmall Demo versions prior to 20250505. The issue arises in an unknown function of the Search Box component, where an attacker can inject a malicious script that is executed in the context of the user's browser. This could lead to theft of user information such as cookies and session identifiers, manipulation of page content, hijacking of user sessions, or causing users to perform unintended actions.

Impact

Exploitation of this vulnerability allows for reflective cross-site scripting, where injected scripts are executed in the user's browser, potentially leading to session hijacking or manipulation of user data.

Reproduction

To reproduce this vulnerability, send a link containing a malicious script to a user. When the user clicks the link, the script will execute in their browser, demonstrating the cross-site scripting vulnerability.

Remediation

It is recommended to filter data input from the front end and apply HTML entity encoding to any data echoed back to the front end.