Simplcommerce
Monthly
Cross-site request forgery in SimplCommerce's NewsItemApiController allows remote attackers to coerce an authenticated administrator's browser into creating or modifying news items via the `/api/news-items` endpoint, due to a disabled anti-forgery filter prior to commit 6233d73e. The CVSS 4.0 score of 8.3 reflects high integrity impact extending to subsequent systems (the admin's session), and no public exploit identified at time of analysis, though Checkmarx has published reference material describing the issue.
Stored XSS in SimplCommerce's news module allows an authenticated administrator to persist arbitrary JavaScript via the ShortContent and FullContent fields of NewsItemApiController, which are stored without HTML sanitization and rendered unencoded through Razor's @Html.Raw() method. Any site visitor who subsequently loads an affected news page will execute the injected script in their browser, enabling session hijacking, credential theft, or malicious redirects. No public exploit code or CISA KEV listing exists at time of analysis; an upstream fix is available at commit 6142d3b5 per Checkmarx's disclosure.
Cross-site request forgery in SimplCommerce's NewsItemApiController allows remote attackers to coerce an authenticated administrator's browser into creating or modifying news items via the `/api/news-items` endpoint, due to a disabled anti-forgery filter prior to commit 6233d73e. The CVSS 4.0 score of 8.3 reflects high integrity impact extending to subsequent systems (the admin's session), and no public exploit identified at time of analysis, though Checkmarx has published reference material describing the issue.
Stored XSS in SimplCommerce's news module allows an authenticated administrator to persist arbitrary JavaScript via the ShortContent and FullContent fields of NewsItemApiController, which are stored without HTML sanitization and rendered unencoded through Razor's @Html.Raw() method. Any site visitor who subsequently loads an affected news page will execute the injected script in their browser, enabling session hijacking, credential theft, or malicious redirects. No public exploit code or CISA KEV listing exists at time of analysis; an upstream fix is available at commit 6142d3b5 per Checkmarx's disclosure.