Mezereon Smart Search and Filter Shopify App Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in version 1.0 of the Smart Search & Filter Shopify App. This issue allows remote attackers to execute arbitrary JavaScript in the web browser of a user by injecting a malicious payload into the color filter parameter. The vulnerability arises from inadequate sanitization of parameter values, enabling the insertion of scripts that execute in the context of the affected application.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where injected scripts are executed in the context of the user's browser session. This could lead to actions being performed on behalf of the user, theft of sensitive information such as session cookies or personal data, or manipulation of the page's content.

Reproduction

To reproduce this vulnerability, modify the URL to include a payload in one of the vulnerable parameters, such as 'mz.color' or 'mz.option_color'. A payload like an image tag with an 'onerror' event could be used to trigger the XSS by executing JavaScript, such as an alert.