CVE-2020-12058 Information
Feb 14, 2021
cve
Description
Several XSS vulnerabilities in osCommerce CE Phoenix before 1.0.6.0 allow an attacker to inject and execute arbitrary JavaScript code. The malicious code can be injected as follows: the page parameter to catalog/admin/order_status.php catalog/admin/tax_rates.php catalog/admin/languages.php catalog/admin/countries.php catalog/admin/tax_classes.php catalog/admin/reviews.php or catalog/admin/zones.php; or the zpage or spage parameter to catalog/admin/geo_zones.php.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Reference
https://github.com/gburton/CE-Phoenix/commit/8d0fb97810bc28880415a3a31607f473bfc5fec8 https://sisl.lab.uic.edu/projects/chess/cross-site-scripting-in-cephoenix/ https://www.oscommerce.com/Us&News=155
Attack Complexity
LOW
Privileges Required
NONE
User Interaction Required
NONE
Scope
REQUIRED
Confidentiality Impact
CHANGED
Integrity Impact
LOW
Availability Impact
LOW
Base Score
NONE
Base Severity
6.1
Share on: