[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Attributes functionality

To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Attributes functionality
From: Onur Tezcan via Fulldisclosure <fulldisclosure@xxxxxxxxxxxx>
Date: Fri, 12 Dec 2025 14:35:08 +0000

 [Attack Vectors]
      > It was detected that a Stored XSS vulnerability in the Attributes 
management workflow. An attacker can insert JavaScript into the Name field when 
adding a new Attribute Group (Catalog > Attributes > Specification attributes > 
Add Group > Name input field). To exploit the vulnerability, privileged users 
should visit the "Specification attributes page.

Assigned CVE code:
    > CVE-2025-65589

 [Discoverer]
      > AlterSec t/a PenTest.NZ


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Prev by Date: [FD] Multiple Security Misconfigurations and Customer Enumeration Exposure in Convercent Whistleblowing Platform (EQS Group)
Next by Date: [FD] nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Blog posts functionality in the Content Management area
Previous by thread: [FD] APPLE-SA-12-12-2025-9 Safari 26.2
Next by thread: [FD] nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Blog posts functionality in the Content Management area
Index(es):
- Date
- Thread