Using AliExpress XSS vulnerability an attacker can inject any malicious payload script as value into the message parameter, and when the seller will browse to the message center in AliExpress website using his account, the malicious script will be executed on his browser. XSS Payload can be lead to several attacks such as perform actions on behalf of a seller, phishing attacks, steal the victim's sessions identifier, etc.
"Skilled hacker might exploit this vulnerability and perform ranged attack by sending malicious messages to all AliExpress sellers and will cause a huge damage to AliExpress website," Tawily said.AppSec Labs immediately reported the vulnerability to the the Chinese e-commerce giant, Alibaba team through emails and phone calls, providing full details of the flaw. The company didn't respond immediately, but last week, when AppSec Labs spoke to the Israeli media about the issue, Alibaba contacted the security firm.
"We are aware of the issue and took immediate steps to assess and remedy the situation," said Candice Huang, manager of International Corporate Affairs for Alibaba Group. "We have already closed the potential vulnerability and we will continue to closely monitor the situation. The security and privacy of our customers is our highest priority and we will do everything we can to continue to ensure a secure trading environment on our platforms."