TechStore is an e-commerce platform that allows users to create and manage online stores. The user_name endpoint reflects the id query parameter directly into the HTML response without output encoding or sanitization, allowing execution of arbitrary JavaScript code in a victim’s browser.
Specific version info not stated in the advisory.
Upgrade to TechStore version 2.x or later. You can find the latest versions on the official GitHub repository: https://github.com/techstore/techstore.
- Immediate mitigations:
- Restrict network access to your TechStore instance (firewall it from the public internet).
- Audit admin account activity for suspicious access patterns.
- Monitor for unauthorized token creation.