CVE-2020-29587 Information

Description

SimplCommerce 1.0.0-rc uses the Bootbox.js library which allows creation of programmatic dialog boxes using Bootstrap modals. The Bootbox.js library intentionally does not perform any sanitization of user input which results in a DOM XSS because it uses the jQuery .html() function to directly append the payload to a dialog.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Reference

https://github.com/simplcommerce/SimplCommerce/issues/969

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

5.4