CVE-2025-40674

Name of the Vulnerable Software and Affected Versions osCommerce version 4

Description The issue is a Reflected Cross-Site Scripting (XSS) that allows an attacker to execute JavaScript code in the victim's browser. This can be achieved by sending a malicious URL using any parameter name in the "/watch/en/about-us" endpoint. The attacker can exploit this to steal sensitive user data, such as session cookies, or perform actions on behalf of the user.

Recommendations For osCommerce version 4, update to a version that includes a fix for this issue, as using outdated versions poses a significant risk. As a temporary workaround, consider restricting access to the "/watch/en/about-us" endpoint to minimize the risk of exploitation. Avoid using parameters in this endpoint until the issue is resolved.