Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Cross-Site Scripting (XSS) vulnerability in Soteshop

Posted date 28/02/2025
Identificador
INCIBE-2025-0111
Importance
3 - Medium
Affected Resources

Soteshop, versions prior to 8.3.4.

Description

INCIBE has coordinated the publication of a medium severity vulnerability affecting Soteshop, an online shop software, which has been discovered by Gonzalo Aguilar García (6h4ack).

This vulnerability has been assigned the following code, CVSS v3.1 base score, CVSS vector and vulnerability type CWE:

  • CVE-2025-1776: CVSS v3.1: 6.1 | CVSS CVSS AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | CWE-79
Solution

The vulnerability has been fixed by the Soteshop team in version 8.3.4.

Detail

CVE-2025-1776: Cross-Site Scripting (XSS) vulnerability in Soteshop, versions prior to 8.3.4, which could allow remote attackers to execute arbitrary code via the ‘query’ parameter in /app-google-custom-search/searchResults. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.

References list
Soteshop - Product website
Etiquetas