[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) in the product management functionality

To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) in the product management functionality
From: Onur Tezcan via Fulldisclosure <fulldisclosure@xxxxxxxxxxxx>
Date: Fri, 12 Dec 2025 15:07:24 +0000

 [Attack Vectors]
      > It was detected that multiple Stored Cross-Site Scripting (Stored XSS) 
vulnerabilities in the product management functionality. Malicious JavaScript 
payloads inserted into the "Product Name" and "Short Description" fields are 
stored in the backend database and executed automatically whenever a user 
(administrator or customer) views the affected pages.

Assigned CVE code:
       > CVE-2025-65592

 [Discoverer]
      > AlterSec t/a PenTest.NZ

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Prev by Date: [FD] nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Currencies functionality.
Next by Date: [FD] nopCommerce 4.90.0 is vulnerable to Cross Site Request Forgery (CSRF) via the Schedule Tasks functionality
Previous by thread: [FD] nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Currencies functionality.
Next by thread: [FD] nopCommerce 4.90.0 is vulnerable to Cross Site Request Forgery (CSRF) via the Schedule Tasks functionality
Index(es):
- Date
- Thread