Bhabishya-123 E-Commerce Cross-Site Scripting Vulnerability

A reflected Cross-Site Scripting (XSS) vulnerability has been identified in Bhabishya-123 E-commerce version 1.0, specifically within the index.php endpoint. The vulnerability arises because unsanitized input in the /index parameter is directly reflected in the response HTML. This flaw allows attackers to execute arbitrary JavaScript in the browser of users who click on a malicious link or submit a crafted request.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the user's browser. This could lead to various malicious outcomes, such as session hijacking, credential theft, or the delivery of malware.

Reproduction

To reproduce this vulnerability, host the application using a local server such as XAMPP or LAMP. Once the application is running, send a GET request to the index.php endpoint with a payload that includes a script tag. The injected JavaScript will execute in the browser if the vulnerability is present.

Remediation

As of the disclosure date, no patch is available. However, it is recommended to sanitize all user inputs before reflecting them in the HTML response. Implementing server-side input validation and setting strong Content Security Policy headers can also help mitigate this vulnerability.