Andrewtch88 Mvc-Ecommerce Cross-Site Scripting Vulnerability

A reflected Cross-Site Scripting (XSS) vulnerability has been identified in Andrewtch88 Mvc-Ecommerce version 1.0. The issue arises in the product_catalogue.php component, specifically within the query parameter. This vulnerability allows remote attackers to inject arbitrary JavaScript, which is then executed in the context of the victim's browser. Such exploitation could lead to session hijacking, unauthorized actions, or disclosure of sensitive information.

Impact

Exploitation of this vulnerability allows for the execution of injected JavaScript in the victim's browser, potentially leading to session hijacking, unauthorized actions, or disclosure of sensitive information.

Reproduction

To reproduce this vulnerability, install the application locally and open the product_catalogue.php component. Inject a script payload into the query parameter. The injected script will be reflected in the response and executed by the browser.

Remediation

The application should implement proper input sanitization and encoding before reflecting user-controlled data in HTML output. Context-aware output encoding is essential to prevent script execution.