Sanjay_786 Posted June 23 Posted June 23 Hi, We recently became aware of the published vulnerability CVE-2025-40674, which affects osCommerce v4. As outlined in the CVE details, this is a Reflected Cross-Site Scripting (XSS) vulnerability that allows an attacker to execute JavaScript code in a victim’s browser by sending a malicious URL that manipulates parameters. This could potentially be exploited to steal sensitive data, such as session cookies, or perform unauthorized actions on behalf of the user. Could you please confirm whether this vulnerability will be addressed in the upcoming patch release? If so, could you also provide an estimated timeline for the release? Looking forward to your response. Best regards, Sanjay Quote
pandrei Posted June 23 Posted June 23 (edited) Protection against reflected XSS has been implemented at least since version 4.11. You can verify this yourself by opening one of the following URLs — the payloads will be safely neutralized and not executed: https://demo.oscommerce.com/watch/en/about-us?name=<script>alert(1)</script>https://demo.oscommerce.com/watch/en/about-us?foo="<img src=x onerror=alert(1)> Edited June 23 by pandrei Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.