Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Cross-Site Scripting (XSS) reflected in Nosto

Posted date 16/06/2025
Identificador
INCIBE-2025-0319
Importance
3 - Medium
Affected Resources

Nostro.

Description

INCIBE has coordinated the publication of a medium severity vulnerability affecting Nosto, an eCommerce platform. The vulnerability was discovered by Gonzalo Aguilar Garcia (6h4ack).

This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector and vulnerability type CWE:

  • CVE-2025-40726: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
Solution

There is no reported solution at this time.

Detail

CVE-2025-40726: reflected Cross-Site Scripting (XSS) vulnerability in /pages/search-results-page in Nosto, which allows remote attackers to execute arbitrary code via the q GET request parameter.

References list
Nostro | Official website
Etiquetas