CVE-2021-47885
📋 TL;DR
Multiple payment terminal versions contain non-persistent cross-site scripting (XSS) vulnerabilities in billing and payment information input fields. Attackers can inject malicious script code through vulnerable parameters to manipulate client-side requests, potentially enabling session hijacking or phishing attacks against payment terminal users.
💻 Affected Systems
- Authorize.net Payment Terminal
- PayPal Pro Payment Terminal
- Stripe Payment Terminal
⚠️ Risk & Real-World Impact
Worst Case
Attackers could hijack user sessions, steal payment credentials, redirect users to phishing sites, or perform unauthorized transactions by manipulating client-side requests.
Likely Case
Attackers would typically use this for session hijacking or phishing attacks against payment terminal users, potentially capturing payment information or redirecting to malicious sites.
If Mitigated
With proper input validation and output encoding, the vulnerability would be prevented, maintaining normal payment processing functionality.
🎯 Exploit Status
Non-persistent XSS typically requires user interaction (clicking a malicious link) but can be exploited without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in provided references
Vendor Advisory: Not provided in references
Restart Required: No
Instructions:
1. Check vendor websites for security updates. 2. Apply any available patches from Authorize.net, PayPal, or Stripe. 3. Verify the fix by testing input fields for XSS vulnerabilities.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement server-side input validation and output encoding for all user-supplied data in payment fields.
Content Security Policy
allImplement a strict Content Security Policy (CSP) to prevent execution of unauthorized scripts.
🧯 If You Can't Patch
- Implement a Web Application Firewall (WAF) with XSS protection rules
- Monitor for suspicious input patterns in payment field submissions
🔍 How to Verify
Check if Vulnerable:
Test payment terminal input fields with XSS payloads like <script>alert('XSS')</script> and observe if script executes.Check Version:
Check payment terminal administration interface or documentation for version information.Verify Fix Applied:
Retest with XSS payloads after applying fixes; scripts should not execute and input should be properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual script tags or JavaScript in payment field submissions
- Multiple failed payment attempts with suspicious input
Network Indicators:
- HTTP requests containing script tags or JavaScript in POST parameters
- Unusual redirects from payment pages
SIEM Query:
source="payment_terminal" AND (http_request:*<script* OR http_request:*javascript:* OR http_request:*alert(*)🔗 References
- https://www.criticalgears.com/product/authorize-net-payment-terminal/
- https://www.criticalgears.com/product/paypal-pro-payment-terminal/
- https://www.criticalgears.com/product/stripe-payment-terminal/
- https://www.vulncheck.com/advisories/payment-terminal-multiple-versions-non-persistent-cross-site-scripting
- https://www.vulnerability-lab.com/get_content.php?id=2280
