CVE-2025-59411
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-22

Last updated on: 2025-09-23

Assigner: GitHub, Inc.

Description
CubeCart is an ecommerce software solution. Prior to version 6.5.11, the contact form’s Enquiry field accepts raw HTML and that HTML is included verbatim in the email sent to the store admin. By submitting HTML in the Enquiry, the admin receives an email containing that HTML. This indicates user input is not being escaped or sanitized before being output in email (and possibly when re-rendering the form), leading to Cross-Site Scripting / HTML injection risk in email clients or admin UI. This issue has been patched in version 6.5.11.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-22
Last Modified
2025-09-23
Generated
2026-06-16
AI Q&A
2025-09-22
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59411
EUVD
EUVD-2025-30838
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cubecart cubecart to 6.5.11 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in CubeCart versions prior to 6.5.11 occurs because the contact form's Enquiry field accepts raw HTML input from users without sanitization. This raw HTML is then included directly in the email sent to the store administrator. As a result, malicious HTML or scripts can be injected into the email content, leading to Cross-Site Scripting (XSS) or HTML injection risks in email clients or the admin user interface. Essentially, an attacker can submit HTML code that gets executed or rendered in the admin's email or UI, potentially causing harm. [2]

Impact Analysis

The vulnerability can impact you by allowing attackers to perform phishing attacks through the admin's email by embedding malicious links or scripts in the enquiry field. This can trick admins into clicking harmful links. Additionally, if the unsanitized content is displayed in the admin panel or stored for later viewing, it could lead to persistent Cross-Site Scripting (XSS) attacks, potentially compromising admin sessions and leading to unauthorized access or control over the admin interface. [2]

Detection Guidance

This vulnerability can be detected by submitting HTML content through the CubeCart contact form's Enquiry field and then checking if the received email to the store admin contains the raw HTML content unescaped. To detect it on your system, you can monitor outgoing emails from the contact form for unescaped HTML content. For example, you could use grep or similar commands on the mail server logs or mail queue to search for suspicious HTML tags in emails sent from the contact form. A sample command might be: grep -i '<script\|<a\|<h2' /var/mail/* or checking the email source in the admin mailbox for raw HTML tags in enquiry messages. Additionally, reviewing the source code for the presence or absence of sanitization functions on the enquiry input can help detect the vulnerability. [2, 1]

Mitigation Strategies

The immediate mitigation step is to upgrade CubeCart to version 6.5.11 or later, where this vulnerability has been patched. The patch sanitizes the enquiry input by converting any HTML content to plain text before including it in emails, preventing HTML injection. If upgrading immediately is not possible, as a temporary workaround, you could modify the contact form processing code to sanitize or strip HTML tags from the enquiry input before sending emails, for example by applying functions similar to the patch's htmlToPlainText() and nl2br() functions to the enquiry content. [1, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59411. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart