CVE-2025-40674
BaseFortify
Publication date: 2025-06-17
Last updated on: 2025-06-17
Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-40674 is a reflected Cross-Site Scripting (XSS) vulnerability in osCommerce version 4. It occurs in the /watch/en/about-us endpoint, where an attacker can create a malicious URL using the name of any parameter to execute arbitrary JavaScript code in the victim's browser. This means that when a victim clicks on the malicious link, the attacker's script runs in their browser. [1]
How can this vulnerability impact me? :
This vulnerability can be exploited to steal sensitive user data such as session cookies, which can lead to account hijacking. Additionally, it can allow attackers to perform unauthorized actions on behalf of the user, potentially compromising user accounts and data integrity. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the /watch/en/about-us endpoint of osCommerce v4 for reflected Cross-Site Scripting (XSS). You can craft and send HTTP requests with malicious JavaScript payloads in the parameter names and observe if the payload is reflected and executed in the response. For example, using curl to send a request with a parameter name containing a script tag and checking the response for the reflected script. Example command: curl -v "http://your-oscommerce-site/watch/en/about-us?<script>alert(1)</script>=test". If the script is reflected in the response without proper sanitization, the vulnerability is present. [1]
What immediate steps should I take to mitigate this vulnerability?
Since no patch or official solution is currently available, immediate mitigation steps include implementing web application firewall (WAF) rules to detect and block malicious requests targeting the /watch/en/about-us endpoint with suspicious parameter names containing script or HTML tags. Additionally, restrict or sanitize input on the server side to prevent execution of injected scripts. Inform users to avoid clicking suspicious links until a patch is released. [1]