### Key Information #### Vulnerability Overview - **CVE ID**: CVE-2025-61456 - **Disclosure Date**: October 13, 2025 - **Severity**: Medium (CVSS v3.1 Score: 6.1) - **Vulnerability Type**: Reflected Cross-Site Scripting (XSS) #### Affected Product - **Vendor**: Independent (Bhaktiyara-123) - **Project**: E-commerce - **Version**: Not specified - **File**: index.php - **Vulnerable Endpoint**: `http://localhost/e-commerce-root/index.php` #### Vulnerability Details - The server fails to properly sanitize content within URL path parameters, directly reflecting it into the HTML response, allowing attackers to inject JavaScript payloads via URL paths. - Attackers can craft requests containing embedded scripts and send them to the vulnerable GET endpoint. Since the server reflects the input into the HTML response without proper HTML attribute escaping, browsers execute the reflected content as executable markup. #### CWE Classification - **CWE ID**: CWE-79 - **Title**: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') #### Impact - Successful exploitation may lead to: - Execution of arbitrary JavaScript code - Phishing or identity spoofing via HTML injection - Session hijacking or token theft - Forced redirection or malware distribution - Credential harvesting via fake login forms #### Proof of Concept (PoC) 1. Clone the repository 2. Host locally 3. Exploit the vulnerability - Sample Request: `GET /e-commerce-root/index.php?path=alert(1) HTTP/1.1` - Injected Payload: `alert(1)` 4. Expected Result: If vulnerable, the browser will execute the JavaScript code, displaying an alert box with the value `1`. #### Recommendations - Use `htmlspecialchars()` or equivalent methods to sanitize all untrusted output before rendering as HTML. - Implement server-side input validation to ensure the safety of all URL parameters and path information. - Set strong Content Security Policy (CSP) headers to prevent inline script execution. - Avoid directly embedding unvalidated user input into HTML responses. - Implement context-sensitive output encoding (HTML, JavaScript, URL, CSS). #### Timeline - **Vulnerability Discovery**: September 16, 2025 - **Public Disclosure**: October 13, 2025 - **Patch Availability**: Not available at disclosure #### Acknowledgments - This vulnerability was discovered and disclosed by Tonsique Dasari. #### References - OWASP - XSS - CWE-79 - XSS Classification - PortSwigger - Cross-site Scripting - CVE-2025-61456 on CVE.org