nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) in the product management functionality
好的,我现在要帮用户总结一篇文章的内容,控制在100字以内。首先,我需要仔细阅读用户提供的文章内容。 文章标题是“Full Disclosure”,看起来是一个安全邮件列表的存档。内容主要关于nopCommerce 4.90.0版本的一个漏洞。作者Onur Tezcan提到发现了多个存储型跨站脚本(Stored XSS)漏洞,具体是在产品管理功能中的“Product Name”和“Short Description”字段。恶意JavaScript会被存储在后端数据库,并在用户查看相关页面时自动执行。这些漏洞被分配了CVE-2025-65592,发现者是AlterSec t/a PenTest.NZ。 接下来,我需要将这些信息浓缩到100字以内,同时避免使用像“文章内容总结”这样的开头。我应该直接描述漏洞的情况,包括受影响的软件版本、漏洞类型、影响范围以及CVE编号。 可能的结构是:软件名称+版本+漏洞类型+具体字段+影响范围+CVE编号。这样既简洁又全面。 检查一下字数是否符合要求,确保不超过100字。最后,确保语言准确无误,没有遗漏关键信息。 </think> nopCommerce 4.90.0 存在存储型跨站脚本(Stored XSS)漏洞,恶意JavaScript可注入"Product Name"和"Short Description"字段并在用户访问时执行。已分配CVE-2025-65592。 2025-12-16 05:19:12 Author: seclists.org(查看原文) 阅读量:11 收藏
fulldisclosure logo

Full Disclosure mailing list archives

From: Onur Tezcan via Fulldisclosure <fulldisclosure () seclists org>
Date: Fri, 12 Dec 2025 15:07:24 +0000
 [Attack Vectors]
      > It was detected that multiple Stored Cross-Site Scripting (Stored XSS) vulnerabilities in the product 
management functionality. Malicious JavaScript payloads inserted into the "Product Name" and "Short Description" fields 
are stored in the backend database and executed automatically whenever a user (administrator or customer) views the 
affected pages.

Assigned CVE code:
       > CVE-2025-65592

 [Discoverer]
      > AlterSec t/a PenTest.NZ

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

  • nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) in the product management functionality Onur Tezcan via Fulldisclosure (Dec 15)

文章来源: https://seclists.org/fulldisclosure/2025/Dec/19
如有侵权请联系:admin#unsafe.sh