Skip to main content

CS-Cart CVE-2025-50848

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-07-31 cve@mitre.org
6.1
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

PR:L reflects the likely minimum of a registered customer account to access file upload; all other metrics align with stored XSS delivered via trusted domain with scope change affecting other users.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 03:59 vuln.today

DescriptionCVE.org

A file upload vulnerability was discovered in CS Cart 4.18.3, allows attackers to execute arbitrary code. CS Cart 4.18.3 allows unrestricted upload of HTML files, which are rendered directly in the browser when accessed. This allows an attacker to upload a crafted HTML file containing malicious content, such as a fake login form for credential harvesting or scripts for Cross-Site Scripting (XSS) attacks. Since the content is served from a trusted domain, it significantly increases the likelihood of successful phishing or script execution against other users.

AnalysisAI

Unrestricted HTML file upload in CS-Cart 4.18.3 enables stored cross-site scripting and phishing attacks against users of affected storefronts. An attacker who can upload files to the platform may submit a crafted HTML document subsequently served from the trusted store domain, allowing arbitrary JavaScript execution in victims' browsers or presentation of convincing fake login pages for credential harvesting. Publicly available exploit code exists on GitHub; the EPSS score of 0.22% (13th percentile) reflects low observed exploitation pressure and the vulnerability is not listed in the CISA KEV catalog.

Technical ContextAI

CS-Cart (CPE: cpe:2.3:a:cs-cart:cs-cart:4.18.3:*:*:*:*:*:*:*) is a commercial PHP-based e-commerce platform. The root cause - CWE-79, Improper Neutralization of Input During Web Page Generation - manifests here through absent or insufficient file extension and MIME-type enforcement on the upload subsystem: the application does not block .html or .htm files, nor does it override the response Content-Type to force download, so browsers render uploaded HTML as a full document. Because the file is served from the legitimate CS-Cart domain, same-origin trust allows embedded scripts to interact with session cookies and other domain-scoped data, lending equal credibility to phishing overlays. The 'RCE' tag attached to this CVE in the intelligence metadata is misleading - the impact is client-side code execution within the victim's browser context, not server-side remote code execution, and should not be interpreted as a server-compromise vector.

RemediationAI

No vendor-released patch identified at time of analysis. The only public reference is the researcher PoC at https://github.com/hackerwahab/CS-Cart-Vulns/blob/main/CVE-2025-50848.md; no CS-Cart security bulletin or fix version has been published. As a primary compensating control, administrators should configure the web server to serve all files from user-accessible upload directories with a Content-Disposition: attachment header, forcing download rather than browser rendering - this neutralizes XSS and phishing without blocking uploads, though it will break any legitimate inline preview functionality. A stricter alternative is denying upload of .html, .htm, .svg, and .xhtml extensions at the application validation layer, which fully closes the attack class at the cost of preventing HTML document uploads by users who may rely on this legitimately. Additionally, deploying a restrictive Content-Security-Policy header on the storefront domain constrains what uploaded scripts can access even if rendered, reducing the impact of any bypass. CS-Cart operators should monitor the vendor's security advisories for an official patch and apply it immediately upon release.

CVE-2015-2701 MEDIUM POC
6.8 Mar 25

Cross-site request forgery (CSRF) vulnerability in CS-Cart 4.2.4 allows remote attackers to hijack the authentication of

CVE-2016-4862 HIGH
8.8 Apr 20

Twigmo bundled with CS-Cart 4.3.9 and earlier and Twigmo bundled with CS-Cart Multi-Vendor 4.3.9 and earlier allow remot

CVE-2017-2138 HIGH
8.8 Aug 02

Cross-site request forgery (CSRF) vulnerability in CS-Cart Japanese Edition v4.3.10 and earlier (excluding v2 and v3), C

CVE-2025-50850 HIGH
8.6 Jul 31

Credential brute-forcing against CS-Cart 4.18.3 is possible because the vendor login endpoint ships without CAPTCHA, rat

CVE-2017-15673 HIGH
7.2 Nov 28

The files function in the administration section in CS-Cart 4.6.2 and earlier allows attackers to execute arbitrary PHP

CVE-2025-50847 MEDIUM
6.5 Jul 31

Cross-Site Request Forgery in CS-Cart 4.18.3 permits an attacker to silently add arbitrary products to an authenticated

CVE-2021-32202 MEDIUM
6.1 Sep 14

In CS-Cart version 4.11.1, it is possible to induce copy-paste XSS by manipulating the "post description" filed in the b

CVE-2017-10886 MEDIUM
5.4 Nov 17

Cross-site scripting vulnerability in CS-Cart Japanese Edition v4.3.10 and earlier (excluding v2 and v3), CS-Cart Multiv

CVE-2017-2139 MEDIUM
5.3 Apr 28

CS-Cart Japanese Edition v4.3.10 and earlier (excluding v2 and v3), CS-Cart Multivendor Japanese Edition v4.3.10 and ear

CVE-2013-0118 MEDIUM
5.0 Feb 24

CS-Cart before 3.0.6, when PayPal Standard Payments is configured, allows remote attackers to set the payment recipient

CVE-2013-7317 MEDIUM
4.3 Jan 24

Multiple cross-site scripting (XSS) vulnerabilities in CS-Cart before 4.1.1 allow remote attackers to inject arbitrary w

Share

CVE-2025-50848 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy