Hi can you please suggest how to fix this PCI compliance issue which has been flagged acymailing 10:
My website url has been replaced with xxx for the purpose of the forum post.
Cross-Site Scripting (XSS) — com_acym /frontusers.html
Details:
Reflected XSS via newsletter subscription form
(https://www.xxx.com/component/acym/frontusers.html?tmpl=component)
Fix:
Add input sanitization and output escaping for all form inputs (subscription[], user[email]).
Full details:
A cross-site scripting vulnerability violates PCI DSS and is considered an automatic failing condition.
This vulnerability is not recognized in the National Vulnerability Database.
A reflected cross-site scripting vulnerability was identified in this web application. Reflected cross-site scripting is when HTML or Javascript content is supplied to a user
defined parameter to have it then displayed (aka: reflected) back to the user and rendered or interpreted by their browser. This web site responded to a harmless web
request that included Javascript/HTML which was reflected back, indicating that the underlying web application may be vulnerable to being used in a cross-site scripting
(XSS) attack. While this vulnerability does not exploit the web server itself, it can be utilized by an attacker to target end-users and potentially take over their sessions or
other sensitive information. Cross-site scripting can be found in many different forms and combinations so the full request and response that was used demonstrate this
vulnerability has been provided below as evidence.
SOLUTION:
Before accepting any user-supplied data, the application should validate this data's format and reject any characters that are not explicitly allowed (i.e. a white-list). This
list should be as restrictive as possible. Before using any data (stored or user-supplied) to generate web page content, the application should escape all non alpha-
numeric characters (i.e. output-validation). This is particularly important when the original source of data is beyond the control of the application. Even if the source of the
data isn't performing input-validation, output-validation will still prevent XSS. Please note that the listing of XSS vulnerabilities is not an exhaustive list, and other XSS
vulnerabilities may exist in the application.
EVIDENCE:
DetectionDetails: Cross-Site Scripting vulnerability found.
POST - https://www.xxx.ie/component/acym/frontusers.html?tmpl=component - subscription[]
Injection: <script>alert(17600166.00957)</script>
Detection: An alert was detected containing 17600166.00957
Request: POST https://www.xxx.ie/component/acym/frontusers.html?tmpl=component HTTP/1.1
Referer: https://www.xxx.ie/
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryp2cvCh5LrELU3IPO
Sysnet Scanning Management System October 09, 2025
Page 65
PCI Scan Vulnerability Report
------WebKitFormBoundaryp2cvCh5LrELU3IPO
Content-Disposition: form-data; name="subscription[]"
<script>alert(17600166.00957)</script>
------WebKitFormBoundaryp2cvCh5LrELU3IPO
Content-Disposition: form-data; name="user[email]"
jsmith20@kelev.biz
------WebKitFormBoundaryp2cvCh5LrELU3IPO
Content-Disposition: form-data; name="terms"
on
------WebKitFormBoundaryp2cvCh5LrELU3IPO
Content-Disposition: form-data; name="ctrl"
frontusers
------WebKitFormBoundaryp2cvCh5LrELU3IPO
Content-Disposition: form-data; name="task"
subscribe
------WebKitFormBoundaryp2cvCh5LrELU3IPO
Content-Disposition: form-data; name="option"
com_acym
------WebKitFormBoundaryp2cvCh5LrELU3IPO
Content-Disposition: form-data; name="ajax"
1
------WebKitFormBoundaryp2cvCh5LrELU3IPO
Content-Disposition: form-data; name="successmode"
replace
------WebKitFormBoundaryp2cvCh5LrELU3IPO
Content-Disposition: form-data; name="acy_source"
Module n?269
------WebKitFormBoundaryp2cvCh5LrELU3IPO
Content-Disposition: form-data; name="hiddenlists"
------WebKitFormBoundaryp2cvCh5LrELU3IPO
Content-Disposition: form-data; name="fields"
name,email
------WebKitFormBoundaryp2cvCh5LrELU3IPO
Content-Disposition: form-data; name="acyformname"
formAcym45471
------WebKitFormBoundaryp2cvCh5LrELU3IPO
Content-Disposition: form-data; name="acysubmode"
mod_acym
------WebKitFormBoundaryp2cvCh5LrELU3IPO
Content-Disposition: form-data; name="confirmation_message"
Sysnet Scanning Management System October 09, 2025
Page 66
PCI Scan Vulnerability Report
