Security Research & Advisories

Multiple Stored Cross-Site Scripting(XSS) Vulnerabilities in Katyshop2 2.11

Product Katyshop2
Affected Version(s) 2.11 and probably prior
Tested Version(s) 2.11
Vendor Notification May 4, 2020
Advisory Publication May 4, 2020 [without technical details]
Vendor Fix N/A
Public Disclosure N/A
Latest Modification May 4, 2020
CVE Identifier(s) CVE-2020-12683
Product Description E-commerce application for small businesses; written in PHP and MySQL. Products list, categories, user login, persons and companies, contact page, order.
Credits Carlos Ramírez L. Security Researcher & Penetration Tester @wizlynx group

Vulnerability Details

Reflected Cross-Site Scripting (XSS) Vulnerability
Severity: Medium CVSS Score: 5.4 CWE-ID: CWE-79 Status: Not Fixed
Vulnerability Description
The web application running on Katyshop2 appliance is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities affecting version 2.11 and probably prior versions. These vulnerabilities could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information.
CVSS Base Score
Attack Vector Network Scope Changed
Attack Complexity Low Confidentiality Impact Low
Privileges Required Low Integrity Impact Low
User Interaction Required Availability Impact None


Full details about the vulnerability will be disclosed once the vendor has provided a patch.