Plataforma
php
Corrigido em
1.0.1
CVE-2025-13450 describes a cross-site scripting (XSS) vulnerability discovered in SourceCodester Online Shop Project versions 1.0. This vulnerability impacts the /shop/register.php file, allowing attackers to inject malicious scripts through manipulation of the f_name argument. The vulnerability has been publicly disclosed and a fix is available in version 1.0.1.
Successful exploitation of CVE-2025-13450 allows an attacker to inject arbitrary JavaScript code into the Online Shop Project application. This can lead to various malicious outcomes, including session hijacking, defacement of the website, redirection to phishing sites, and theft of sensitive user data like login credentials or personal information. The attack is remotely exploitable, meaning an attacker does not need to be on the same network as the server. The impact is amplified if the application is used to process financial transactions or store sensitive customer data.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. The CVSS score is LOW, suggesting that exploitation may require specific conditions or user interaction. No known active campaigns targeting this vulnerability have been reported as of the publication date. Public proof-of-concept code is likely to emerge given the public disclosure.
Small and medium-sized businesses utilizing the SourceCodester Online Shop Project for e-commerce operations are particularly at risk. Organizations relying on older, unpatched versions of the software, or those with limited security resources, are also more vulnerable. Shared hosting environments where multiple users share the same server infrastructure could also be affected if one user's installation is compromised.
• php / web:
curl -I 'http://your-shop-url.com/shop/register.php?f_name=<script>alert("XSS")</script>' | grep 'Content-Type' # Check for script execution in response• generic web:
grep -i 'f_name=<script' /var/log/apache2/access.log # Look for suspicious f_name parameter values in access logsdisclosure
Status do Exploit
EPSS
0.05% (percentil 15%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-13450 is to upgrade to version 1.0.1 of the SourceCodester Online Shop Project. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the f_name parameter in the /shop/register.php file to prevent the injection of malicious scripts. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Review and harden the application's security configuration to minimize the attack surface.
Actualizar a una versión parcheada del software. Si no hay una versión parcheada disponible, sanitizar las entradas del usuario en el archivo register.php, especialmente el parámetro f_name, para evitar la ejecución de código JavaScript malicioso. Utilizar funciones de escape específicas para HTML antes de mostrar los datos en la página.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-13450 is a cross-site scripting (XSS) vulnerability affecting SourceCodester Online Shop Project versions 1.0, allowing attackers to inject malicious scripts via the /shop/register.php file.
You are affected if you are running SourceCodester Online Shop Project version 1.0. Upgrade to version 1.0.1 to mitigate the risk.
The recommended fix is to upgrade to version 1.0.1. As a temporary workaround, implement input validation and sanitization on the f_name parameter.
While no active campaigns have been confirmed, the vulnerability has been publicly disclosed, increasing the likelihood of exploitation.
Refer to the SourceCodester website or their official communication channels for the advisory regarding CVE-2025-13450.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.