CVE-2025-67683
Unknown Unknown - Not Provided
Reflected XSS in Quick.Cart 6.7 via sSort Parameter

Publication date: 2026-01-22

Last updated on: 2026-02-19

Assigner: CERT.PL

Description
Quick.Cart is vulnerable to reflected XSS via the sSort parameter. An attacker can craft a malicious URL which, when opened, results in arbitrary JavaScript execution in the victim’s browser. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-22
Last Modified
2026-02-19
Generated
2026-06-16
AI Q&A
2026-01-22
EPSS Evaluated
2026-06-14
NVD
CVE-2025-67683
EUVD
EUVD-2026-4160
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
opensolution quick.cart 6.7
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-67683 is a reflected Cross-Site Scripting (XSS) vulnerability in Quick.Cart version 6.7. It occurs via the 'sSort' parameter, where an attacker can craft a malicious URL that, when opened by a victim, executes arbitrary JavaScript code in the victim's browser. This happens because the input is not properly neutralized during web page generation. [1]

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary JavaScript in the victim's browser, potentially leading to session hijacking, theft of sensitive information, defacement of the website, or redirection to malicious sites. It compromises the security and trustworthiness of the affected web application. [1]

Detection Guidance

This vulnerability can be detected by testing the Quick.Cart application, specifically by checking if the sSort parameter in URLs is vulnerable to reflected XSS. You can try crafting a URL with a JavaScript payload in the sSort parameter and observe if the script executes in the browser. For example, you can use curl or a browser to send a request like: curl 'http://your-quickcart-site/?sSort=<script>alert(1)</script>' and check if the script is reflected and executed. There are no specific commands provided in the resources, but manual testing of the sSort parameter with XSS payloads is recommended. [1]

Mitigation Strategies

Immediate mitigation steps include sanitizing and properly encoding the sSort parameter input to prevent execution of arbitrary JavaScript. If possible, apply any available patches or updates from the vendor. Since the vendor did not provide details or affected version ranges and only version 6.7 is confirmed vulnerable, consider restricting access to the affected version or disabling the vulnerable functionality until a fix is available. Additionally, educate users to avoid clicking on suspicious URLs that may exploit this vulnerability. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67683. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart