CVE-2025-7567
BaseFortify
Publication date: 2025-07-14
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| shopxo | shopxo | 6.5.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-7567 is a reflected Cross-Site Scripting (XSS) vulnerability in ShopXO version 6.5.0. It occurs because the parameters 'lang' and 'system_type' are improperly sanitized and directly embedded into JavaScript code within several template files, such as header.html. Although htmlentities() is used, it does not escape single quotes properly, allowing attackers to inject arbitrary JavaScript code by crafting malicious URLs. This injected code executes in the victim's browser context, potentially leading to unauthorized actions. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute arbitrary JavaScript in the context of users' browsers. Potential impacts include session hijacking by stealing cookies, phishing attacks by injecting fake login forms or redirecting users, and privilege escalation by modifying admin settings if exploited in backend contexts. Essentially, it can compromise user accounts, steal sensitive information, and disrupt normal operations. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing for reflected Cross-Site Scripting (XSS) in the `system_type` and `lang` URL parameters. You can attempt to access URLs on your ShopXO instance with payloads that inject JavaScript code, such as: For `system_type` parameter: http://target-ip/?s=user/modallogininfo&system_type=1';alert(document.cookie);var __test__='1 For `lang` parameter: http://target-ip/?lang=1';alert(234);var __test__='1 If an alert box appears or JavaScript executes, the vulnerability is present. You can use command-line tools like `curl` or `wget` to send these requests and inspect the responses for injected scripts. Example command: curl -i "http://target-ip/?s=user/modallogininfo&system_type=1';alert(document.cookie);var __test__='1" or curl -i "http://target-ip/?lang=1';alert(234);var __test__='1" [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1. Avoid using the vulnerable ShopXO version 6.5.0 until a patch is available. 2. Implement input validation and proper escaping for the `system_type` and `lang` parameters, especially when embedding them into JavaScript contexts. 3. Use a Web Application Firewall (WAF) to block requests containing suspicious payloads targeting these parameters. 4. Educate users and administrators to be cautious of suspicious URLs. 5. If possible, disable or restrict access to the affected modules or views until a fix is applied. Since no official patch or mitigation is mentioned, these steps help reduce exposure until an update is released. [1, 2]