CVE-2024-40746

A stored cross-site scripting (XSS) vulnerability in HikaShop Joomla Component < 5.1.1 allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload in the `description` parameter of any product. The `description `parameter is not sanitised in the backend.
References
Link Resource
https://www.hikashop.com/ Product
Configurations

Configuration 1 (hide)

cpe:2.3:a:hikashop:hikashop:*:*:*:*:*:joomla\!:*:*

History

29 Oct 2024, 15:34

Type Values Removed Values Added
CPE cpe:2.3:a:hikashop:hikashop:*:*:*:*:*:joomla\!:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.4
References () https://www.hikashop.com/ - () https://www.hikashop.com/ - Product
First Time Hikashop
Hikashop hikashop

23 Oct 2024, 15:13

Type Values Removed Values Added
Summary
  • (es) Una vulnerabilidad de cross-site scripting (XSS) almacenado en el componente HikaShop Joomla anterior a la versión 5.1.1 permite a atacantes remotos ejecutar código JavaScript arbitrario en el navegador web de un usuario, mediante la inclusión de una carga maliciosa en el parámetro `description` de cualquier producto. El parámetro `description` no se desinfecta en el backend.

21 Oct 2024, 17:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-10-21 17:15

Updated : 2024-10-29 15:34


NVD link : CVE-2024-40746

Mitre link : CVE-2024-40746

CVE.ORG link : CVE-2024-40746


JSON object : View

Products Affected

hikashop

  • hikashop
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')