CVE-2021-47885
Unknown Unknown - Not Provided
Non-Persistent XSS in Payment Terminal Input Fields Enables Session Hijacking

Publication date: 2026-02-01

Last updated on: 2026-02-01

Assigner: VulnCheck

Description
Multiple payment terminal versions contain non-persistent cross-site scripting vulnerabilities in billing and payment information input fields. Attackers can inject malicious script code through vulnerable parameters to manipulate client-side requests and potentially execute session hijacking or phishing attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-01
Last Modified
2026-02-01
Generated
2026-06-16
AI Q&A
2026-02-01
EPSS Evaluated
2026-06-15
NVD
CVE-2021-47885
EUVD
EUVD-2021-34763
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
criticalgears authorize.net_payment_terminal 2.4.1
stripe payment_terminal 2.2.1
paypal pro_payment_terminal 3.1
criticalgears payment_terminal to 2.4.1 (inc)
stripe payment_terminal to 2.2.1 (inc)
paypal pro_payment_terminal to 3.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2021-47885 is a medium severity non-persistent cross-site scripting (XSS) vulnerability found in multiple versions of CriticalGears' payment terminals, including Authorize.net, Stripe, and PayPal PRO Payment Terminals. The vulnerability exists in billing and payment information input fields such as Description, Firstname, Lastname, Address, City, and Email. Attackers can inject malicious scripts via POST requests without authentication by exploiting improper input validation and sanitization, especially in an 'onkeyup' event handler that fails to properly sanitize input. This allows the injected scripts to execute on the client side. [1, 2]

Impact Analysis

Exploitation of this vulnerability can lead to session hijacking, phishing attacks, external redirects to malicious sites, and manipulation of application modules. Attackers can manipulate client-side requests by injecting malicious scripts into vulnerable input fields, potentially compromising user sessions and redirecting users to harmful content. [1, 2]

Detection Guidance

This vulnerability can be detected by testing the vulnerable payment terminal forms for non-persistent cross-site scripting (XSS) by injecting malicious script payloads into the input fields such as Description, Firstname, Lastname, Address, City, and Email. Detection involves sending crafted POST requests with script code in these parameters and observing if the script executes in the client-side context. For example, using curl commands to send POST requests with payloads in the vulnerable parameters can help identify the issue. A sample command might be: curl -X POST -d "item_description=<script>alert(1)</script>&fname=test&lname=test&address=test&city=test&[email protected]" https://target-payment-terminal-url/endpoint. Successful execution of the script indicates the vulnerability. Additionally, manual or automated web application scanners that test for reflected XSS in these input fields can be used. [1]

Mitigation Strategies

Immediate mitigation steps include implementing strict input validation and sanitization on all billing and payment information input fields, especially the parameters item_description, fname, lname, address, city, and email. This involves escaping or parsing user input to prevent script execution. Securing or removing the vulnerable onkeyup event handler (checkFieldBack) that improperly handles invalid input exceptions is critical to avoid executing injected scripts. Applying patches or updates from the vendor that address these XSS flaws is recommended. Additionally, monitoring and filtering incoming requests to detect and block malicious payloads can help reduce risk until a full fix is applied. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2021-47885. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart