Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Reflected Cross-Site Scripting (XSS) in AbanteCart

Posted date 12/05/2025
Identificador
INCIBE-2025-0229
Importance
3 - Medium
Affected Resources

AbanteCart v1.4.0.

Description

INCIBE has coordinated the publication of 2 medium severity vulnerabilities affecting AbanteCart, an eCommerce Platform. These vulnerabilities have been discovered by Gonzalo Aguilar Garcia (6h4ack).

These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector and CWE vulnerability type:

  • CVE-2025-40626 and CVE-2025-40627: CVSS v4.0: 5.1 | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
Solution

Update to the last version 1.4.1.

Detail

AbanteCart has two Reflected Cross-Site Scripting (XSS) vulnerabilities that could allow an attacker to execute JavaScript code in a victim's browser by sending the victim a malicious URL. These vulnerabilities can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. For each vulnerability, the malicious URLs are:

  • CVE-2025-40626: "/about_us?[XSS_PAYLOAD]"
  • CVE-2025-40627: "/eyes?[XSS_PAYLOAD]"
References list
AbanteCart
Etiquetas