Oscommerce
CVE-2023-43704
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "title" parameter, potentially leading to unauthorized execution of scripts within a user's web browser.
AnalysisAI
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "title" parameter, potentially leading to unauthorized execution of scripts within a user's web browser. Affected products include: Oscommerce.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.
More in Oscommerce
View allA vulnerability, which was classified as critical, has been found in osCommerce 4. Rated critical severity (CVSS 9.8), t
osCommerce Phoenix CE before 1.0.5.4 allows OS command injection remotely. Rated critical severity (CVSS 9.8), this vuln
osCommerce Phoenix CE before 1.0.5.4 allows admin/define_language.php CSRF. Rated high severity (CVSS 8.8), this vulnera
osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database q
osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database q
osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database q
An issue was discovered in osCommerce v4, allows local attackers to bypass file upload restrictions and execute arbitrar
The PayPal Pro PayFlow EC module in osCommerce does not verify that the server hostname matches a domain name in the sub
The PayPal Pro PayFlow module in osCommerce does not verify that the server hostname matches a domain name in the subjec
The PayPal Pro module in osCommerce does not verify that the server hostname matches a domain name in the subject's Comm
The PayPal Express module in osCommerce does not verify that the server hostname matches a domain name in the subject's
The MoneyBookers module in osCommerce does not verify that the server hostname matches a domain name in the subject's Co
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today