CVE-2025-59411
BaseFortify
Publication date: 2025-09-22
Last updated on: 2025-09-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cubecart | cubecart | to 6.5.11 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in CubeCart versions prior to 6.5.11 occurs because the contact form's Enquiry field accepts raw HTML input from users without sanitization. This raw HTML is then included directly in the email sent to the store administrator. As a result, malicious HTML or scripts can be injected into the email content, leading to Cross-Site Scripting (XSS) or HTML injection risks in email clients or the admin user interface. Essentially, an attacker can submit HTML code that gets executed or rendered in the admin's email or UI, potentially causing harm. [2]
How can this vulnerability impact me? :
The vulnerability can impact you by allowing attackers to perform phishing attacks through the admin's email by embedding malicious links or scripts in the enquiry field. This can trick admins into clicking harmful links. Additionally, if the unsanitized content is displayed in the admin panel or stored for later viewing, it could lead to persistent Cross-Site Scripting (XSS) attacks, potentially compromising admin sessions and leading to unauthorized access or control over the admin interface. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by submitting HTML content through the CubeCart contact form's Enquiry field and then checking if the received email to the store admin contains the raw HTML content unescaped. To detect it on your system, you can monitor outgoing emails from the contact form for unescaped HTML content. For example, you could use grep or similar commands on the mail server logs or mail queue to search for suspicious HTML tags in emails sent from the contact form. A sample command might be: grep -i '<script\|<a\|<h2' /var/mail/* or checking the email source in the admin mailbox for raw HTML tags in enquiry messages. Additionally, reviewing the source code for the presence or absence of sanitization functions on the enquiry input can help detect the vulnerability. [2, 1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade CubeCart to version 6.5.11 or later, where this vulnerability has been patched. The patch sanitizes the enquiry input by converting any HTML content to plain text before including it in emails, preventing HTML injection. If upgrading immediately is not possible, as a temporary workaround, you could modify the contact form processing code to sanitize or strip HTML tags from the enquiry input before sending emails, for example by applying functions similar to the patch's htmlToPlainText() and nl2br() functions to the enquiry content. [1, 3]