Vvveb CMS Unauthenticated Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in Vvveb CMS versions prior to 1.0.8.3. The issue occurs in the public product return form, where the 'customer_order_id' POST parameter is improperly sanitized before being displayed in an error message. This flaw allows for the execution of attacker-controlled HTML or JavaScript in the context of the user's browser.

Impact

Exploitation of this vulnerability allows for unauthenticated reflected cross-site scripting, where injected scripts are executed in the user's browser.

Reproduction

To reproduce this vulnerability, access the public return form and enter a payload, such as an image tag with an 'onerror' event, into the 'Order ID' field. Submit the form with a non-existent order ID to trigger the error message, which will reflect the payload and execute the JavaScript in the browser.

Remediation

Users are advised to update to Vvveb CMS version 1.0.8.3 or later. Additionally, ensure that user-controlled input is properly HTML-escaped before being rendered in error messages.