CVE-2021-47897
Stored XSS in PEEL Shopping 9.3.0 Address Parameter
Publication date: 2026-01-23
Last updated on: 2026-01-23
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| peel | shopping | 9.3.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2021-47897 is a stored cross-site scripting (XSS) vulnerability in PEEL Shopping version 9.3.0. It exists in the 'address' parameter of the change_params.php script, where an attacker can inject malicious JavaScript code. This code is stored and later executed when users interact with the address text box on the website, allowing client-side script execution through improper input neutralization. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute malicious JavaScript in the context of users' browsers when they interact with the address field. This can lead to actions such as stealing user session data, performing unauthorized actions on behalf of the user, or delivering malicious payloads, potentially compromising user security and trust. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the 'address' parameter in the utilisateurs/change_params.php script for stored cross-site scripting (XSS). You can attempt to inject a benign JavaScript payload into the address field and then verify if the payload executes when interacting with the address text box. For example, using curl or a similar tool to send a POST request with a JavaScript payload in the 'address' parameter and then checking the web application for execution of the script. Specific commands are not provided in the resources, but the exploit involves injecting JavaScript code and observing its execution upon user interaction with the address field. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include sanitizing and validating user input on the 'address' parameter in the change_params.php script to prevent injection of malicious JavaScript. Applying patches or updates from the vendor if available is recommended. Additionally, implementing Content Security Policy (CSP) headers to restrict script execution and educating users about the risk can help reduce impact. Since no specific mitigation commands or patches are detailed in the resources, input validation and cautious handling of user-supplied data are the primary immediate steps. [1, 2]