CVE-2020-23447

Name of the Vulnerable Software and Affected Versions newbee-mall version 1.0

Description The issue allows for cross-site scripting. It can be triggered by writing an xss payload in the address information when buying goods, which is then executed when viewing the "View Recipient Information" of this order in "Order Management Office". The API endpoint involved is "shop-cart/settle".

Recommendations For newbee-mall version 1.0, as a temporary workaround, consider restricting access to the "shop-cart/settle" endpoint until a patch is available. Additionally, avoid using potentially malicious input in the address information field to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.