Full Disclosure mailing list archives

nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Attributes functionality

From: Onur Tezcan via Fulldisclosure <fulldisclosure () seclists org>
Date: Fri, 12 Dec 2025 14:35:08 +0000

 [Attack Vectors]
      > It was detected that a Stored XSS vulnerability in the Attributes management workflow. An attacker can insert 
JavaScript into the Name field when adding a new Attribute Group (Catalog > Attributes > Specification attributes > Add 
Group > Name input field). To exploit the vulnerability, privileged users should visit the "Specification attributes 
page.

Assigned CVE code:
    > CVE-2025-65589

 [Discoverer]
      > AlterSec t/a PenTest.NZ


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Attributes functionality Onur Tezcan via Fulldisclosure (Dec 15)