PT-2020-17175 · Nopcommerce · Nopcommerce Store

Hemant Patidar

Published

2020-12-29

Updated

2020-12-30

CVE-2020-29475

CVSS v3.1

4.8

Medium

Vector

AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions nopCommerce Store version 4.30

Description The issue is related to cross-site scripting (XSS) in the Schedule tasks name field. This allows an attacker to inject an XSS payload, which triggers every time a user visits the affected page, potentially enabling the attacker to steal cookies based on the crafted payload.

Recommendations For nopCommerce Store version 4.30, consider disabling the Schedule tasks name field until a patch is available to prevent the injection of XSS payloads. Restrict access to the Schedule tasks page to minimize the risk of exploitation. Avoid using the Schedule tasks feature until the issue is resolved.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2020-29475

Affected Products

Nopcommerce Store

PT-2020-17175 · Nopcommerce · Nopcommerce Store

CVE-2020-29475

Weakness Enumeration

Related Identifiers

Affected Products

References · 5