Home

Description

SPA-CART CMS 1.9.0.3 contains a stored cross-site scripting vulnerability in the product description parameter that allows authenticated administrators to inject malicious scripts. Attackers can submit JavaScript payloads through the 'descr' parameter in the product edit form to execute arbitrary code in administrative users' browsers.

PUBLISHED Reserved 2025-12-11 | Published 2025-12-11 | Updated 2025-12-12 | Assigner VulnCheck




MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Product status

Default status
unaffected

1.9.0.3
affected

Credits

Eren Sen finder

References

www.exploit-db.com/exploits/51919 (ExploitDB-51919) exploit

www.vulncheck.com/...-site-scripting-via-product-description (VulnCheck Advisory: SPA-CART CMS 1.9.0.3 Stored Cross-Site Scripting via Product Description) third-party-advisory

cve.org (CVE-2024-58304)

nvd.nist.gov (CVE-2024-58304)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.