Overview
CVE-2025-13450 identifies a reflected Cross-Site Scripting (XSS) vulnerability present in SourceCodester Online Shop Project version 1.0. This vulnerability allows an attacker to inject malicious scripts into the web application, potentially compromising user accounts or defacing the website. The vulnerability is located in the /shop/register.php file and is triggered by manipulating the f_name parameter.
Technical Details
The vulnerability resides within the register.php file of the SourceCodester Online Shop Project 1.0. Specifically, the application fails to properly sanitize or encode user-supplied input submitted through the f_name parameter during the registration process. An attacker can inject malicious JavaScript code into this parameter, which will then be reflected back to the user’s browser when the registration page is loaded or reloaded. Because the application trusts this unsanitized input, the injected script will execute within the context of the user’s browser, enabling the attacker to perform actions on behalf of the user.
CVSS Analysis
- Severity: LOW
- CVSS Score: 3.5
The CVSS score of 3.5 indicates a low severity vulnerability. This is likely due to the requirement of user interaction to trigger the vulnerability. The CVSS vector would likely look something like AV:N/AC:L/PR:N/UI:R/S:N/C:N/I:L/A:N, suggesting network attack vector, low attack complexity, no privileges required, user interaction required, no scope change, no confidentiality impact, low integrity impact, and no availability impact.
Possible Impact
Successful exploitation of this XSS vulnerability can have several potential consequences:
- Account Hijacking: An attacker could potentially steal a user’s session cookie and gain unauthorized access to their account.
- Website Defacement: The attacker could inject code to modify the appearance of the website, potentially defacing it.
- Malware Distribution: An attacker could redirect users to malicious websites to download malware.
- Information Theft: Sensitive information displayed on the affected page could be stolen by injecting malicious scripts.
While rated as low severity, XSS vulnerabilities can be chained with other vulnerabilities to increase impact. For instance, social engineering could be used to trick users into clicking malicious links.
Mitigation or Patch Steps
To mitigate this vulnerability, the following steps should be taken:
- Input Sanitization: Implement robust input sanitization on the server-side to remove or escape any potentially malicious characters from user inputs, specifically the
f_nameparameter inregister.php. Use escaping functions appropriate for the output context (HTML in this case). - Output Encoding: Encode all user-supplied data before rendering it in the HTML output. This will prevent the browser from interpreting the data as executable code.
- Content Security Policy (CSP): Implement a strong Content Security Policy to restrict the sources from which the browser can load resources. This can help prevent the execution of injected scripts.
- Update SourceCodester Online Shop Project: Check for updated versions of the SourceCodester Online Shop Project. If a patch is available, apply it immediately.
