CVE-2021-47885
Non-Persistent XSS in Payment Terminal Input Fields Enables Session Hijacking
Publication date: 2026-02-01
Last updated on: 2026-02-01
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| criticalgears | authorize.net_payment_terminal | 2.4.1 |
| stripe | payment_terminal | 2.2.1 |
| paypal | pro_payment_terminal | 3.1 |
| criticalgears | payment_terminal | to 2.4.1 (inc) |
| stripe | payment_terminal | to 2.2.1 (inc) |
| paypal | pro_payment_terminal | to 3.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2021-47885 is a medium severity non-persistent cross-site scripting (XSS) vulnerability found in multiple versions of CriticalGears' payment terminals, including Authorize.net, Stripe, and PayPal PRO Payment Terminals. The vulnerability exists in billing and payment information input fields such as Description, Firstname, Lastname, Address, City, and Email. Attackers can inject malicious scripts via POST requests without authentication by exploiting improper input validation and sanitization, especially in an 'onkeyup' event handler that fails to properly sanitize input. This allows the injected scripts to execute on the client side. [1, 2]
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to session hijacking, phishing attacks, external redirects to malicious sites, and manipulation of application modules. Attackers can manipulate client-side requests by injecting malicious scripts into vulnerable input fields, potentially compromising user sessions and redirecting users to harmful content. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the vulnerable payment terminal forms for non-persistent cross-site scripting (XSS) by injecting malicious script payloads into the input fields such as Description, Firstname, Lastname, Address, City, and Email. Detection involves sending crafted POST requests with script code in these parameters and observing if the script executes in the client-side context. For example, using curl commands to send POST requests with payloads in the vulnerable parameters can help identify the issue. A sample command might be: curl -X POST -d "item_description=<script>alert(1)</script>&fname=test&lname=test&address=test&city=test&[email protected]" https://target-payment-terminal-url/endpoint. Successful execution of the script indicates the vulnerability. Additionally, manual or automated web application scanners that test for reflected XSS in these input fields can be used. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing strict input validation and sanitization on all billing and payment information input fields, especially the parameters item_description, fname, lname, address, city, and email. This involves escaping or parsing user input to prevent script execution. Securing or removing the vulnerable onkeyup event handler (checkFieldBack) that improperly handles invalid input exceptions is critical to avoid executing injected scripts. Applying patches or updates from the vendor that address these XSS flaws is recommended. Additionally, monitoring and filtering incoming requests to detect and block malicious payloads can help reduce risk until a full fix is applied. [1]