Impact
Stored cross‑site scripting (XSS) exists in the SimplCommerce NewsItemApiController; the ShortContent and FullContent fields are saved without any HTML sanitization and later rendered using @Html.Raw(), allowing an authenticated administrator to inject and execute arbitrary JavaScript through the news module interface. This flaw permits the attacker to run client‑side code within the context of an administrator's browser session, potentially compromising sensitive data, enabling credential theft or hijacking, and enabling further opportunistic actions on the system.
Affected Systems
The vulnerability affects SimplCommerce, specifically the News module used by administrators. All installations running a version of the product prior to the commit identified by 6142d3b5 are potentially vulnerable. Users who have not applied this commit are at risk.
Risk and Exploitability
The CVSS score of 6.2 indicates moderate severity, and the EPSS score is not available, suggesting limited public exploitation data. The flaw requires authenticated administrator access, so attackers must either have legitimate admin credentials or compromise an administrator's session. Since the vulnerability has not been listed in the CISA KEV catalog, there is no confirmed exploitation evidence at this time. When present, an attacker could inject malicious JavaScript into the news published content, which will run in any browser that loads the page, potentially allowing credential theft, session hijacking, or defacement. The lack of mitigating controls within the application makes exploitation straightforward for privileged users.
OpenCVE Enrichment