Vendor | |
Product | Katyshop2 |
Affected Version(s) | 2.11 and probably prior |
Tested Version(s) | 2.11 |
Vendor Notification | May 4, 2020 |
Advisory Publication | May 4, 2020 [without technical details] |
Vendor Fix | N/A |
Public Disclosure | N/A |
Latest Modification | May 4, 2020 |
CVE Identifier(s) | CVE-2020-12683 |
Product Description | E-commerce application for small businesses; written in PHP and MySQL. Products list, categories, user login, persons and companies, contact page, order. |
Credits | Carlos Ramírez L. Security Researcher & Penetration Tester @wizlynx group |
Reflected Cross-Site Scripting (XSS) Vulnerability | |||
Severity: Medium | CVSS Score: 5.4 | CWE-ID: CWE-79 | Status: Not Fixed |
Vulnerability Description | |||
The web application running on Katyshop2 appliance is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities affecting version 2.11 and probably prior versions. These vulnerabilities could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information. | |||
CVSS Base Score | |||
Attack Vector | Network | Scope | Changed |
Attack Complexity | Low | Confidentiality Impact | Low |
Privileges Required | Low | Integrity Impact | Low |
User Interaction | Required | Availability Impact | None |
Full details about the vulnerability will be disclosed once the vendor has provided a patch.