CVE-2023-6296 - OpenCVE

A vulnerability was found in osCommerce 4. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /catalog/compare of the component Instant Message Handler. The manipulation of the argument compare with the input 40dz4iq"><script>alert(1)</script>zohkx leads to cross site scripting. The attack may be launched remotely. VDB-246122 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Oscommerce	Oscommerce

Configuration 1 [-]

cpe:2.3:a:oscommerce:oscommerce:4.0:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://packetstormsecurity.com/files/175925/osCommerce-4-Cross-Site-Scripting.html
https://vuldb.com/?ctiid.246122
https://vuldb.com/?id.246122

History

No history.

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2023-11-26T21:31:04.142Z

Updated: 2024-08-02T08:28:20.954Z

Reserved: 2023-11-26T07:20:43.976Z

Link: CVE-2023-6296

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-11-26T22:15:06.983

Modified: 2024-05-17T02:33:37.480

Link: CVE-2023-6296

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-6296", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2023-11-26T07:20:43.976Z", "datePublished": "2023-11-26T21:31:04.142Z", "dateUpdated": "2024-08-02T08:28:20.954Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2023-11-26T21:31:04.142Z"}, "title": "osCommerce Instant Message compare cross site scripting", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Cross Site Scripting"}]}], "affected": [{"vendor": "n/a", "product": "osCommerce", "versions": [{"version": "4", "status": "affected"}], "modules": ["Instant Message Handler"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in osCommerce 4. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /catalog/compare of the component Instant Message Handler. The manipulation of the argument compare with the input 40dz4iq\"><script>alert(1)</script>zohkx leads to cross site scripting. The attack may be launched remotely. VDB-246122 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "de", "value": "Eine problematische Schwachstelle wurde in osCommerce 4 ausgemacht. Dies betrifft einen unbekannten Teil der Datei /catalog/compare der Komponente Instant Message Handler. Durch Manipulieren des Arguments compare mit der Eingabe 40dz4iq\"><script>alert(1)</script>zohkx mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren."}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "timeline": [{"time": "2023-11-26T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2023-11-26T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2023-11-26T08:25:56.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "skalvin (VulDB User)", "type": "analyst"}], "references": [{"url": "https://vuldb.com/?id.246122", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.246122", "tags": ["signature", "permissions-required"]}, {"url": "http://packetstormsecurity.com/files/175925/osCommerce-4-Cross-Site-Scripting.html"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T08:28:20.954Z"}, "title": "CVE Program Container", "references": [{"url": "https://vuldb.com/?id.246122", "tags": ["vdb-entry", "technical-description", "x_transferred"]}, {"url": "https://vuldb.com/?ctiid.246122", "tags": ["signature", "permissions-required", "x_transferred"]}, {"url": "http://packetstormsecurity.com/files/175925/osCommerce-4-Cross-Site-Scripting.html", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oscommerce:oscommerce:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "D289144B-230C-46DA-B11D-9A1D3A1DFCE9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in osCommerce 4. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /catalog/compare of the component Instant Message Handler. The manipulation of the argument compare with the input 40dz4iq\"><script>alert(1)</script>zohkx leads to cross site scripting. The attack may be launched remotely. VDB-246122 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en osCommerce 4. Se ha calificado como problem\u00e1tica. Una funci\u00f3n desconocida del archivo /catalog/compare del componente Instant Message Handler es afectada por esta vulnerabilidad. La manipulaci\u00f3n del argumento comparar con la entrada 40dz4iq\">zohkx conduce a cross site scripting. El ataque puede iniciarse de forma remota. VDB-246122 es el identificador asignado a esta vulnerabilidad. NOTA: Se contact\u00f3 primeramente con el proveedor sobre esta divulgaci\u00f3n, pero no respondi\u00f3 de ninguna manera."}], "id": "CVE-2023-6296", "lastModified": "2024-05-17T02:33:37.480", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2023-11-26T22:15:06.983", "references": [{"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/175925/osCommerce-4-Cross-Site-Scripting.html"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory"], "url": "https://vuldb.com/?ctiid.246122"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory"], "url": "https://vuldb.com/?id.246122"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "cna@vuldb.com", "type": "Primary"}]}