CVE-2021-47897
Unknown Unknown - Not Provided
Stored XSS in PEEL Shopping 9.3.0 Address Parameter

Publication date: 2026-01-23

Last updated on: 2026-01-23

Assigner: VulnCheck

Description
PEEL Shopping 9.3.0 contains a stored cross-site scripting vulnerability in the address parameter of the change_params.php script. Attackers can inject malicious JavaScript payloads that execute when users interact with the address text box, potentially enabling client-side script execution.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-23
Last Modified
2026-01-23
Generated
2026-06-16
AI Q&A
2026-01-23
EPSS Evaluated
2026-06-15
NVD
CVE-2021-47897
EUVD
EUVD-2026-4290
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
peel shopping 9.3.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2021-47897 is a stored cross-site scripting (XSS) vulnerability in PEEL Shopping version 9.3.0. It exists in the 'address' parameter of the change_params.php script, where an attacker can inject malicious JavaScript code. This code is stored and later executed when users interact with the address text box on the website, allowing client-side script execution through improper input neutralization. [1, 2]

Impact Analysis

This vulnerability can allow attackers to execute malicious JavaScript in the context of users' browsers when they interact with the address field. This can lead to actions such as stealing user session data, performing unauthorized actions on behalf of the user, or delivering malicious payloads, potentially compromising user security and trust. [1, 2]

Detection Guidance

This vulnerability can be detected by testing the 'address' parameter in the utilisateurs/change_params.php script for stored cross-site scripting (XSS). You can attempt to inject a benign JavaScript payload into the address field and then verify if the payload executes when interacting with the address text box. For example, using curl or a similar tool to send a POST request with a JavaScript payload in the 'address' parameter and then checking the web application for execution of the script. Specific commands are not provided in the resources, but the exploit involves injecting JavaScript code and observing its execution upon user interaction with the address field. [2]

Mitigation Strategies

Immediate mitigation steps include sanitizing and validating user input on the 'address' parameter in the change_params.php script to prevent injection of malicious JavaScript. Applying patches or updates from the vendor if available is recommended. Additionally, implementing Content Security Policy (CSP) headers to restrict script execution and educating users about the risk can help reduce impact. Since no specific mitigation commands or patches are detailed in the resources, input validation and cautious handling of user-supplied data are the primary immediate steps. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2021-47897. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart