SPA-Cart eCommerce CMS 1.9.0.3 - Reflected XSS

Exploit Author: CraCkEr Analysis Author: www.bubbleslearn.ir Category: WebApps Language: Unknown Published Date: 2023-09-04 
# Exploit Title: SPA-Cart eCommerce CMS 1.9.0.3 - Reflected XSS
# Exploit Author: CraCkEr
# Date: 20/08/2023
# Vendor: SPA-Cart
# Vendor Homepage: https://spa-cart.com/
# Software Link: https://demo.spa-cart.com/
# Version: 1.9.0.3
# Tested on: Windows 10 Pro
# Impact: Manipulate the content of the site
# CVE: CVE-2023-4547
# CWE: CWE-79 - CWE-74 - CWE-707


## Greetings

The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka
CryptoJob (Twitter) twitter.com/0x0CryptoJob


## Description

The attacker can send to victim a link containing a malicious URL in an email or instant message
can perform a wide variety of actions, such as stealing the victim's session token or login credentials


Path: /search

GET parameter 'filter[brandid]' is vulnerable to XSS
GET parameter 'filter[price]' is vulnerable to XSS

https://website/search?filtered=1&q=11&load_filter=1&filter[brandid]=[XSS]&filter[price]=[XSS]&filter[attr][Memory][]=500%20GB


XSS Payloads:

vnxjb"><script>alert(1)</script>bvu51


[-] Done


SPA-Cart eCommerce CMS 1.9.0.3 – Reflected XSS Vulnerability Analysis

Security researchers have identified a critical reflected XSS vulnerability in SPA-Cart eCommerce CMS version 1.9.0.3, affecting the /search endpoint. This flaw enables attackers to inject malicious scripts via crafted URLs, potentially leading to session hijacking, credential theft, or full site manipulation.

Understanding Reflected XSS

Reflected XSS occurs when user input is directly echoed back in the response without proper sanitization. Unlike stored XSS, where malicious code persists on the server, reflected XSS is triggered by a single request — typically through a URL parameter. The attacker sends a malicious link to a victim, who executes it by clicking, thereby running the script in their browser.

This vulnerability is particularly dangerous in e-commerce platforms like SPA-Cart, where users frequently interact with search functionalities, making the /search endpoint a prime attack vector.

Vulnerable Parameters and Attack Path

The exploit targets two GET parameters within the search query:

  • filter[brandid]
  • filter[price]

These parameters are used to filter products by brand or price range. However, the application fails to sanitize input before rendering it in the response, allowing arbitrary script injection.

Exploit Example


https://demo.spa-cart.com/search?filtered=1&q=11&load_filter=1&filter[brandid]=[XSS]&filter[price]=[XSS]&filter[attr][Memory][]=500%20GB

By replacing [XSS] with a malicious payload, such as:


vnxjb">alert(1)bvu51

the server echoes the input directly into the HTML response, executing the script in the victim's browser.

How the Attack Works

Consider the following scenario:

  1. An attacker crafts a malicious URL using the vulnerable filter[brandid] parameter.
  2. The URL is sent via email or instant message to a user.
  3. The victim clicks the link, triggering the request to the SPA-Cart search page.
  4. The server reflects the unescaped input into the HTML output.
  5. The browser executes the embedded <script> tag, resulting in a pop-up alert (or more dangerous actions).

Although the alert(1) payload is harmless for demonstration, real-world exploits could include:

  • Stealing session cookies via document.cookie
  • Redirecting users to phishing sites
  • Injecting malicious scripts to compromise user accounts

Security Impact and Risk Assessment

CVE CWE Severity Attack Vector
CVE-2023-4547 CWE-79 (Improper Neutralization of Input During Output Generation) High Remote, via URL

Due to the low barrier to entry (no authentication required), this vulnerability poses a significant risk to end-users, especially in public-facing e-commerce environments.

Real-World Exploitation Use Cases

Attackers could leverage this flaw in several ways:

  • Phishing: Redirect users to fake login pages using JavaScript redirection.
  • Session Hijacking: Extract session_token from cookies and send it to an attacker-controlled server.
  • Malware Delivery: Inject a script that downloads and executes malicious payloads.
  • Browser Fingerprinting: Gather user device information for targeted attacks.

Code-Level Vulnerability Analysis

Here’s a simplified representation of how the vulnerable code might look:


// Pseudocode: Vulnerable Search Endpoint
function renderSearchResults() {
  const brandId = request.get('filter[brandid]');
  const price = request.get('filter[price]');

  // ❌ No sanitization or escaping
  output += '<div>Brand: ' + brandId + '</div>';
  output += '<div>Price: ' + price + '</div>';
}

This code directly concatenates user input into HTML without escaping special characters like <, >, or ". As a result, any script-containing input is executed in the browser.

Secure Fix Recommendations

To mitigate this vulnerability, developers should implement strict input validation and output encoding:


// ✅ Secure Implementation
function renderSearchResults() {
  const brandId = sanitizeInput(request.get('filter[brandid]'));
  const price = sanitizeInput(request.get('filter[price]'));

  // Use HTML escaping
  output += '<div>Brand: ' + escapeHtml(brandId) + '</div>';
  output += '<div>Price: ' + escapeHtml(price) + '</div>';
}

function escapeHtml(text) {
  return text
    .replace(/&/g, '&')
    .replace(//g, '>')
    .replace(/"/g, '"');
}

Additionally, consider:

  • Input validation: restrict parameters to numeric or predefined values.
  • Rate limiting: prevent abuse of search endpoints.
  • Content Security Policy (CSP): block inline scripts by default.

Conclusion and Recommendations

SPA-Cart CMS 1.9.0.3’s reflected XSS vulnerability highlights a common yet critical flaw in web application design: failure to sanitize user input. While the exploit is simple, its consequences can be severe — especially in e-commerce systems where user trust and data integrity are paramount.

For users: Avoid clicking on untrusted links, especially those containing unusual query parameters.

For developers: Always sanitize and escape output. Use frameworks with built-in XSS protection, and conduct regular penetration testing.

For vendors: Patch the vulnerability immediately and release a security update. Monitor for similar issues in other endpoints.