[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Currencies functionality.

To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Currencies functionality.
From: Onur Tezcan via Fulldisclosure <fulldisclosure@xxxxxxxxxxxx>
Date: Fri, 12 Dec 2025 15:04:09 +0000

 [Attack Vectors]
      > It was detected that a Stored XSS vulnerability on the "Currencies" 
functionality, specifically on the following input field: "Configuration > 
Currencies > Edit one of the currencies > "Custom formatting" input field. 
After saving the payload, the vulnerability can be triggered by visiting the 
following pages:
 - Bestsellers,
 - "Sales" > "Orders"
 - Also when someone views one of the products via the shop application the 
payload is triggered.

Assigned CVE code:
       > CVE-2025-65591

 [Discoverer]
      > AlterSec t/a PenTest.NZ


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Prev by Date: [FD] nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Blog posts functionality in the Content Management area
Next by Date: [FD] nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) in the product management functionality
Previous by thread: [FD] nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Blog posts functionality in the Content Management area
Next by thread: [FD] nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) in the product management functionality
Index(es):
- Date
- Thread