Unknown · Peel Shopping · CVE-2021-27190
Name of the Vulnerable Software and Affected Versions:
PEEL SHOPPING versions 9.3.0 through 9.4.0
Description:
A Stored Cross Site Scripting(XSS) issue was discovered, allowing an attacker to input malicious JavaScript. This can lead to stealing cookies or redirecting users to malicious websites. The vulnerability occurs when user-supplied input containing a polyglot payload is echoed back in JavaScript code within an HTML response.
Recommendations:
For versions 9.3.0 and 9.4.0, consider disabling the `change params.php` functionality as a temporary workaround until a patch is available.
Restrict access to the `utilisateurs/change params.php` endpoint to minimize the risk of exploitation.
Avoid using user-supplied input in JavaScript code within HTML responses until the issue is resolved.