Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Reflected Cross-Site Scripting (XSS) in osCommerce

Posted date 04/06/2025
Identificador
INCIBE-2025-0291
Importance
3 - Medium
Affected Resources

osCommerce, v4.

Description

INCIBE has coordinated the publication of a medium severity vulnerability affecting osCommerce, an open source eCommerce platform. The vulnerability has been discovered by Gonzalo Aguilar García (6h4ack).

This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector and vulnerability CWE type:

  • CVE-2025-40674: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
Solution

There is no reported solution at this time.

Detail

CVE-2025-40674: reflected Cross-Site Scripting (XSS) in osCommerce v4. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the name of any parameter in /watch/en/about-us. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.

References list
osCommerce - Product Web
Etiquetas