CVE-2021-39412

Name of the Vulnerable Software and Affected Versions: PHPGurukul Shopping version 3.1

Description: Multiple Cross Site Scripting (XSS) vulnerabilities exist in the software. The issues are found in the callback parameter in several API endpoints: "server side/scripts/id jsonp.php", "server side/scripts/jsonp.php", and "scripts/objects jsonp.php", the value parameter in "examples support/editable ajax.php", and the PHP SELF parameter in "captcha/index.php".

Recommendations: For PHPGurukul Shopping version 3.1, consider disabling the vulnerable parameters callback and value in the affected API endpoints until a patch is available. Restrict access to the vulnerable scripts, such as "id jsonp.php", "jsonp.php", "objects jsonp.php", "editable ajax.php", and "captcha/index.php", to minimize the risk of exploitation. Avoid using the PHP SELF parameter in "captcha/index.php" until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.