CS-Cart
CVE-2025-50848
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
PR:L reflects the likely minimum of a registered customer account to access file upload; all other metrics align with stored XSS delivered via trusted domain with scope change affecting other users.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
A file upload vulnerability was discovered in CS Cart 4.18.3, allows attackers to execute arbitrary code. CS Cart 4.18.3 allows unrestricted upload of HTML files, which are rendered directly in the browser when accessed. This allows an attacker to upload a crafted HTML file containing malicious content, such as a fake login form for credential harvesting or scripts for Cross-Site Scripting (XSS) attacks. Since the content is served from a trusted domain, it significantly increases the likelihood of successful phishing or script execution against other users.
AnalysisAI
Unrestricted HTML file upload in CS-Cart 4.18.3 enables stored cross-site scripting and phishing attacks against users of affected storefronts. An attacker who can upload files to the platform may submit a crafted HTML document subsequently served from the trusted store domain, allowing arbitrary JavaScript execution in victims' browsers or presentation of convincing fake login pages for credential harvesting. Publicly available exploit code exists on GitHub; the EPSS score of 0.22% (13th percentile) reflects low observed exploitation pressure and the vulnerability is not listed in the CISA KEV catalog.
Technical ContextAI
CS-Cart (CPE: cpe:2.3:a:cs-cart:cs-cart:4.18.3:*:*:*:*:*:*:*) is a commercial PHP-based e-commerce platform. The root cause - CWE-79, Improper Neutralization of Input During Web Page Generation - manifests here through absent or insufficient file extension and MIME-type enforcement on the upload subsystem: the application does not block .html or .htm files, nor does it override the response Content-Type to force download, so browsers render uploaded HTML as a full document. Because the file is served from the legitimate CS-Cart domain, same-origin trust allows embedded scripts to interact with session cookies and other domain-scoped data, lending equal credibility to phishing overlays. The 'RCE' tag attached to this CVE in the intelligence metadata is misleading - the impact is client-side code execution within the victim's browser context, not server-side remote code execution, and should not be interpreted as a server-compromise vector.
RemediationAI
No vendor-released patch identified at time of analysis. The only public reference is the researcher PoC at https://github.com/hackerwahab/CS-Cart-Vulns/blob/main/CVE-2025-50848.md; no CS-Cart security bulletin or fix version has been published. As a primary compensating control, administrators should configure the web server to serve all files from user-accessible upload directories with a Content-Disposition: attachment header, forcing download rather than browser rendering - this neutralizes XSS and phishing without blocking uploads, though it will break any legitimate inline preview functionality. A stricter alternative is denying upload of .html, .htm, .svg, and .xhtml extensions at the application validation layer, which fully closes the attack class at the cost of preventing HTML document uploads by users who may rely on this legitimately. Additionally, deploying a restrictive Content-Security-Policy header on the storefront domain constrains what uploaded scripts can access even if rendered, reducing the impact of any bypass. CS-Cart operators should monitor the vendor's security advisories for an official patch and apply it immediately upon release.
Cross-site request forgery (CSRF) vulnerability in CS-Cart 4.2.4 allows remote attackers to hijack the authentication of
Twigmo bundled with CS-Cart 4.3.9 and earlier and Twigmo bundled with CS-Cart Multi-Vendor 4.3.9 and earlier allow remot
Cross-site request forgery (CSRF) vulnerability in CS-Cart Japanese Edition v4.3.10 and earlier (excluding v2 and v3), C
Credential brute-forcing against CS-Cart 4.18.3 is possible because the vendor login endpoint ships without CAPTCHA, rat
The files function in the administration section in CS-Cart 4.6.2 and earlier allows attackers to execute arbitrary PHP
Cross-Site Request Forgery in CS-Cart 4.18.3 permits an attacker to silently add arbitrary products to an authenticated
In CS-Cart version 4.11.1, it is possible to induce copy-paste XSS by manipulating the "post description" filed in the b
Cross-site scripting vulnerability in CS-Cart Japanese Edition v4.3.10 and earlier (excluding v2 and v3), CS-Cart Multiv
CS-Cart Japanese Edition v4.3.10 and earlier (excluding v2 and v3), CS-Cart Multivendor Japanese Edition v4.3.10 and ear
CS-Cart before 3.0.6, when PayPal Standard Payments is configured, allows remote attackers to set the payment recipient
Multiple cross-site scripting (XSS) vulnerabilities in CS-Cart before 4.1.1 allow remote attackers to inject arbitrary w
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allSame technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today