| Vendor |
|
| Product | Katyshop2 |
| Affected Version(s) | 2.11 and probably prior |
| Tested Version(s) | 2.11 |
| Vendor Notification | May 4, 2020 |
| Advisory Publication | May 4, 2020 [without technical details] |
| Vendor Fix | N/A |
| Public Disclosure | N/A |
| Latest Modification | May 4, 2020 |
| CVE Identifier(s) | CVE-2020-12683 |
| Product Description | E-commerce application for small businesses; written in PHP and MySQL. Products list, categories, user login, persons and companies, contact page, order. |
| Credits | Carlos Ramírez L. Security Researcher & Penetration Tester @wizlynx group |
| Reflected Cross-Site Scripting (XSS) Vulnerability | |||
| Severity: Medium | CVSS Score: 5.4 | CWE-ID: CWE-79 | Status: Not Fixed |
| Vulnerability Description | |||
| The web application running on Katyshop2 appliance is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities affecting version 2.11 and probably prior versions. These vulnerabilities could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information. | |||
| CVSS Base Score | |||
| Attack Vector | Network | Scope | Changed |
| Attack Complexity | Low | Confidentiality Impact | Low |
| Privileges Required | Low | Integrity Impact | Low |
| User Interaction | Required | Availability Impact | None |
Full details about the vulnerability will be disclosed once the vendor has provided a patch.