Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Recommended Posts

Posted

Hi,

We recently became aware of the published vulnerability CVE-2025-40674, which affects osCommerce v4.

As outlined in the CVE details, this is a Reflected Cross-Site Scripting (XSS) vulnerability that allows an attacker to execute JavaScript code in a victim’s browser by sending a malicious URL that manipulates parameters. This could potentially be exploited to steal sensitive data, such as session cookies, or perform unauthorized actions on behalf of the user.

Could you please confirm whether this vulnerability will be addressed in the upcoming patch release?
If so, could you also provide an estimated timeline for the release?

Looking forward to your response.

Best regards,
Sanjay

Posted (edited)

Protection against reflected XSS has been implemented at least since version 4.11. You can verify this yourself by opening one of the following URLs — the payloads will be safely neutralized and not executed:

https://demo.oscommerce.com/watch/en/about-us?name=<script>alert(1)</script>
https://demo.oscommerce.com/watch/en/about-us?foo="<img src=x onerror=alert(1)>

 

Edited by pandrei

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...