CVE-2020-20640

Name of the Vulnerable Software and Affected Versions: ECShop version 4.0

Description: The issue is related to a Cross Site Scripting (XSS) vulnerability due to security filtering issues. Specifically, in the user.php file, it is possible to use HTML entity encoding to bypass the security policy defined in the safety.php file, which triggers the XSS vulnerability.

Recommendations: For ECShop version 4.0, update the security filtering mechanism in the user.php file to properly handle HTML entity encoding and prevent bypassing of the security policy defined in the safety.php file. As a temporary workaround, consider restricting access to the user.php file until a proper fix is applied.