CVE-2025-40701
Reflected XSS in SOTESHOP 8.3.4 Enables Session Hijacking
Publication date: 2026-02-23
Last updated on: 2026-02-23
Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sote | soteshop | to 8.3.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by monitoring HTTP requests to the '/adsTracker/checkAds' endpoint, specifically looking for the presence of the 'id' parameter containing suspicious or malicious JavaScript code."}, {'type': 'paragraph', 'content': 'You can use network traffic inspection tools or web application firewalls to detect such attempts.'}, {'type': 'paragraph', 'content': 'For example, using command-line tools like curl or wget to test the endpoint with crafted payloads can help identify if the system is vulnerable.'}, {'type': 'list_item', 'content': "curl -i 'http://your-soteshop-domain/adsTracker/checkAds?id=<script>alert(1)</script>'"}, {'type': 'list_item', 'content': 'Observe if the response reflects the injected script without proper sanitization.'}, {'type': 'list_item', 'content': 'Alternatively, use tools like Burp Suite or OWASP ZAP to automate detection of reflected XSS vulnerabilities on this endpoint.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate step to mitigate this vulnerability is to upgrade SOTESHOP to version 8.3.5 or later, where the issue has been fixed by the development team.'}, {'type': 'paragraph', 'content': "Until the upgrade can be applied, you should implement input validation and sanitization on the 'id' parameter in the '/adsTracker/checkAds' endpoint to prevent injection of malicious scripts."}, {'type': 'paragraph', 'content': 'Additionally, consider deploying a Web Application Firewall (WAF) with rules to block reflected XSS attacks targeting this endpoint.'}, {'type': 'paragraph', 'content': 'Educate users to avoid clicking on suspicious links containing the vulnerable parameter.'}] [1]
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2025-40701 is a reflected Cross-Site Scripting (XSS) vulnerability found in SOTESHOP version 8.3.4, an online sales software developed by SOTE.'}, {'type': 'paragraph', 'content': "The vulnerability occurs because the 'id' parameter in the '/adsTracker/checkAds' endpoint is not properly sanitized, allowing an attacker to inject and execute arbitrary JavaScript code in the victim's browser through a crafted malicious URL."}, {'type': 'paragraph', 'content': 'This flaw enables attackers to steal sensitive user information such as session cookies or perform unauthorized actions on behalf of the user.'}] [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute malicious JavaScript code in your browser when you visit a specially crafted URL.
As a result, attackers may steal sensitive information like session cookies, which can lead to account hijacking or unauthorized access.
Additionally, attackers could perform actions on your behalf without your consent, potentially compromising your data or account integrity.