प्लेटफ़ॉर्म
php
में ठीक किया गया
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in SourceCodester Online Eyewear Shop versions 1.0 through 1.0. This vulnerability allows attackers to inject malicious scripts into the application, potentially compromising user sessions and data. The vulnerability resides within the /classes/Master.php?f=save_product file, specifically through manipulation of the 'brand' parameter. A patch is available in version 1.0.1.
Successful exploitation of CVE-2025-3297 allows an attacker to inject arbitrary JavaScript code into the Online Eyewear Shop application. This can lead to various malicious outcomes, including session hijacking, defacement of the website, and redirection of users to phishing sites. The attacker could steal sensitive user data, such as login credentials or payment information. Given the nature of XSS, the impact can be significant, potentially affecting all users who interact with the vulnerable page. The attack can be launched remotely, increasing the potential attack surface.
This vulnerability has been publicly disclosed, increasing the risk of exploitation. While the CVSS score is LOW, the ease of exploitation and potential impact warrant immediate attention. No known active campaigns targeting this specific vulnerability have been reported as of the publication date. The vulnerability is not currently listed on the CISA KEV catalog.
Organizations and individuals using SourceCodester Online Eyewear Shop version 1.0 are at risk. Shared hosting environments are particularly vulnerable, as a compromised account could potentially inject malicious scripts affecting other users on the same server. Users who have not implemented robust input validation and output encoding practices are also at increased risk.
• php / web: Examine the /classes/Master.php file for unsanitized input handling of the 'brand' parameter. Search access logs for unusual JavaScript code being injected via GET requests to /classes/Master.php?f=save_product.
grep -i 'script' /var/log/apache2/access.log | grep '/classes/Master.php'disclosure
एक्सप्लॉइट स्थिति
EPSS
0.21% (43% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2025-3297 is to upgrade to version 1.0.1 of the Online Eyewear Shop. If upgrading immediately is not feasible, consider implementing input validation and output encoding on the 'brand' parameter within the /classes/Master.php?f=save_product file. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Thoroughly review and sanitize all user-supplied input to prevent further XSS vulnerabilities.
Actualizar a una versión parcheada del software. Contacte al proveedor para obtener una versión corregida o aplique las medidas de seguridad necesarias para evitar la manipulación del parámetro 'brand' y otros parámetros vulnerables. Valide y limpie las entradas del usuario para prevenir ataques XSS.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2025-3297 is a cross-site scripting (XSS) vulnerability in SourceCodester Online Eyewear Shop versions 1.0–1.0, allowing attackers to inject malicious scripts.
You are affected if you are using SourceCodester Online Eyewear Shop version 1.0–1.0 and have not upgraded to version 1.0.1.
Upgrade to version 1.0.1. As a temporary measure, implement input validation and output encoding on the 'brand' parameter.
While no active campaigns have been confirmed, the vulnerability has been publicly disclosed, increasing the risk of exploitation.
Refer to the SourceCodester website or relevant security advisories for the official advisory regarding CVE-2025-3297.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।