GDReseller versions up to 1.6 are affected by a CSRF vulnerability that enables stored XSS attacks. This means that an attacker could trick an authenticated user into submitting a forged request, which the application processes with the user's privileges, potentially injecting malicious scripts that persist in the application. The vulnerability is remotely exploitable without privileges but requires user interaction. The CVSS vector indicates network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and impacts on confidentiality, integrity, and availability at low to low levels.

Successful exploitation could allow an attacker to execute stored XSS attacks via CSRF, potentially leading to unauthorized actions performed with the victim's privileges and persistent malicious script injection. This impacts confidentiality, integrity, and availability at a low level but can facilitate further attacks such as session hijacking or defacement. No known active exploitation has been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider implementing CSRF protections such as anti-CSRF tokens and validating user requests. Additionally, applying web application firewalls (WAF) rules to detect and block CSRF and XSS attempts may help mitigate risk.