Adityaax

**Name of the Vulnerable Software and Affected Versions** CE Phoenix eCommerce platform versions 1.0.9.7 through 1.1.0.3 **Description** The issue allows logged-in users to delete their accounts without requiring password re-authentication. An attacker with temporary access to an authenticated session could permanently delete the user’s account without knowledge of the password. This bypass of re-authentication puts users at risk of account loss and data disruption. **Recommendations** For versions 1.0.9.7 through 1.1.0.3, update to version 1.1.0.3 to resolve the issue. As a temporary workaround, consider restricting access to account deletion functionality until the patch is applied.

**Name of the Vulnerable Software and Affected Versions** CE Phoenix versions 1.0.9.9 through 1.1.0.2 **Description** A stored cross-site scripting (XSS) issue was found in CE Phoenix, where an attacker can inject malicious JavaScript into the testimonial description field. If the shop owner approves the testimonial, the script executes in the context of any user visiting the testimonial page. The session cookies can be exfiltrated by the attacker because they are not marked with the `HttpOnly` flag, potentially leading to account takeover. **Recommendations** For versions 1.0.9.9 through 1.1.0.2, update to version 1.1.0.3 to fix the issue. As a temporary workaround, consider restricting access to the testimonial description field until the update is applied.