Description
Cross Site Scripting vulnerability in RafyMrX TOKO-ONLINE-ROTI v.1.0 allows a remote attacker to execute arbitrary code via the detail_produk.php component
Published: 2026-04-30
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a reflected Cross‑Site Scripting flaw in the detail_produk.php component of RafyMrX TOKO‑ONLINE‑ROTI v.1.0. Because the page outputs user‑supplied data without proper sanitization, a crafted request can inject arbitrary JavaScript, which the attacker can then execute in the victim’s browser. This can lead to session hijacking, defacement, theft of sensitive data, and compromise of the confidentiality and integrity of the application for users who visit the vulnerable URL.

Affected Systems

The affected system is the RafyMrX TOKO‑ONLINE‑ROTI e‑commerce application, version 1.0, specifically the detail_produk.php page that displays product details. No other products or versions are listed as affected, and the vendor’s CNA information is not provided.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate‑to‑high risk for an XSS flaw. The EPSS score is 0.00055, indicating a very low exploitation probability. The vulnerability is not in the CISA KEV catalog. The likely attack vector is remote: an attacker can deliver a malicious URL or manipulate the query string of a product detail page. Once a victim’s browser processes the injected script, the attacker can hijack the session, deface the site, or exfiltrate information.

Generated by OpenCVE AI on May 2, 2026 at 10:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy a patch or upgrade to a newer version of RafyMrX TOKO‑ONLINE‑ROTI that fixes the detail_produk.php XSS flaw
  • If a patch is not yet available, sanitize all user input and encode all output in detail_produk.php to prevent script execution
  • Configure a strict Content‑Security‑Policy header to block inline scripts and disallow loading of remote JavaScript

Generated by OpenCVE AI on May 2, 2026 at 10:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 11:15:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting in RafyMrX TOKO‑ONLINE‑ROTI Detail Page Enabling Client‑Side Code Execution

Fri, 01 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Rafymrx
Rafymrx toko-online-roti
Vendors & Products Rafymrx
Rafymrx toko-online-roti

Thu, 30 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 30 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Description Cross Site Scripting vulnerability in RafyMrX TOKO-ONLINE-ROTI v.1.0 allows a remote attacker to execute arbitrary code via the detail_produk.php component
References

Subscriptions

Rafymrx Toko-online-roti
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-30T17:29:23.886Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38940

cve-icon Vulnrichment

Updated: 2026-04-30T17:29:18.780Z

cve-icon NVD

Status : Deferred

Published: 2026-04-30T16:16:43.537

Modified: 2026-04-30T18:16:30.273

Link: CVE-2026-38940

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T11:00:06Z

Weaknesses