OpenCVE

Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability, which allows attackers to inject JS via the "title" parameter, in the "/admin/admin-menu/add-submit" endpoint, which can lead to unauthorized execution of scripts in a user's web browser.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
Oscommerce	Oscommerce

Configuration 1 [-]

cpe:2.3:a:oscommerce:oscommerce:4.12.56860:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://fluidattacks.com/advisories/bts/
https://www.oscommerce.com/

History

Mon, 23 Sep 2024 16:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Fluid Attacks

Published: 2023-09-30T20:53:29.434Z

Updated: 2024-09-23T15:55:26.642Z

Reserved: 2023-09-21T14:12:18.842Z

Link: CVE-2023-43713

Vulnrichment

Updated: 2024-08-02T19:44:44.095Z

NVD

Status : Analyzed

Published: 2023-09-30T21:15:09.947

Modified: 2023-10-19T01:52:12.623

Link: CVE-2023-43713

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-43713", "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "state": "PUBLISHED", "assignerShortName": "Fluid Attacks", "dateReserved": "2023-09-21T14:12:18.842Z", "datePublished": "2023-09-30T20:53:29.434Z", "dateUpdated": "2024-09-23T15:55:26.642Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Os Commerce", "vendor": "Os Commerce", "versions": [{"status": "affected", "version": "4.12.56860"}]}], "datePublic": "2023-09-30T02:08:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability,<br>which allows attackers to inject JS via the \"title\" parameter, in the \"/admin/admin-menu/add-submit\"<br>endpoint, which can lead to unauthorized execution of scripts in a user's web browser."}], "value": "Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability,\nwhich allows attackers to inject JS via the \"title\" parameter, in the \"/admin/admin-menu/add-submit\"\nendpoint, which can lead to unauthorized execution of scripts in a user's web browser."}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "CAPEC-591 Reflected XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "shortName": "Fluid Attacks", "dateUpdated": "2023-10-06T15:55:12.487Z"}, "references": [{"url": "https://fluidattacks.com/advisories/bts/"}, {"url": "https://www.oscommerce.com/"}], "source": {"discovery": "EXTERNAL"}, "title": "Os Commerce 4.12.56860 - Cross Site Scripting Reflected (XSS)", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T19:44:44.095Z"}, "title": "CVE Program Container", "references": [{"url": "https://fluidattacks.com/advisories/bts/", "tags": ["x_transferred"]}, {"url": "https://www.oscommerce.com/", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-23T15:53:55.074526Z", "id": "CVE-2023-43713", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-23T15:55:26.642Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://fluidattacks.com/advisories/bts/", "tags": ["x_transferred"]}, {"url": "https://www.oscommerce.com/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T19:44:44.095Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-43713", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-23T15:53:55.074526Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-23T15:55:21.783Z"}}], "cna": {"title": "Os Commerce 4.12.56860 - Cross Site Scripting Reflected (XSS)", "source": {"discovery": "EXTERNAL"}, "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "CAPEC-591 Reflected XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Os Commerce", "product": "Os Commerce", "versions": [{"status": "affected", "version": "4.12.56860"}], "defaultStatus": "unaffected"}], "datePublic": "2023-09-30T02:08:00.000Z", "references": [{"url": "https://fluidattacks.com/advisories/bts/"}, {"url": "https://www.oscommerce.com/"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability,\nwhich allows attackers to inject JS via the \"title\" parameter, in the \"/admin/admin-menu/add-submit\"\nendpoint, which can lead to unauthorized execution of scripts in a user's web browser.", "supportingMedia": [{"type": "text/html", "value": "Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability,<br>which allows attackers to inject JS via the \"title\" parameter, in the \"/admin/admin-menu/add-submit\"<br>endpoint, which can lead to unauthorized execution of scripts in a user's web browser.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "shortName": "Fluid Attacks", "dateUpdated": "2023-10-06T15:55:12.487Z"}}}, "cveMetadata": {"cveId": "CVE-2023-43713", "state": "PUBLISHED", "dateUpdated": "2024-09-23T15:55:26.642Z", "dateReserved": "2023-09-21T14:12:18.842Z", "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "datePublished": "2023-09-30T20:53:29.434Z", "assignerShortName": "Fluid Attacks"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oscommerce:oscommerce:4.12.56860:*:*:*:*:*:*:*", "matchCriteriaId": "541F9752-737F-4120-8D29-BE714711E66D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability,\nwhich allows attackers to inject JS via the \"title\" parameter, in the \"/admin/admin-menu/add-submit\"\nendpoint, which can lead to unauthorized execution of scripts in a user's web browser."}, {"lang": "es", "value": "Os Commerce es actualmente susceptible a una vulnerabilidad de Cross-Site Scripting (XSS), que permite a los atacantes inyectar JS a trav\u00e9s del par\u00e1metro \"title\", en el endpoint \"/admin/admin-menu/add-submit\", lo que puede conducir a accesos no autorizados ejecuci\u00f3n de scripts en el navegador web de un usuario."}], "id": "CVE-2023-43713", "lastModified": "2023-10-19T01:52:12.623", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "help@fluidattacks.com", "type": "Secondary"}]}, "published": "2023-09-30T21:15:09.947", "references": [{"source": "help@fluidattacks.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://fluidattacks.com/advisories/bts/"}, {"source": "help@fluidattacks.com", "tags": ["Product"], "url": "https://www.oscommerce.com/"}], "sourceIdentifier": "help@fluidattacks.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "help@fluidattacks.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Secondary"}]}