CVE-2020-29475 - OpenCVE

nopCommerce Store 4.30 is affected by cross-site scripting (XSS) in the Schedule tasks name field. This vulnerability can allow an attacker to inject the XSS payload in Schedule tasks and each time any user will go to that page of the website, the XSS triggers and attacker can able to steal the cookie according to the crafted payload.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Nopcommerce	Store

Configuration 1 [-]

cpe:2.3:a:nopcommerce:store:4.30:*:*:*:*:*:*:*

References

Link	Resource
https://www.exploit-db.com/exploits/49093	Exploit Third Party Advisory VDB Entry

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2020-12-29T14:47:34

Updated: 2020-12-29T14:47:34

Reserved: 2020-12-02T00:00:00

Link: CVE-2020-29475

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-12-29T15:15:12.717

Modified: 2020-12-30T16:42:16.453

Link: CVE-2020-29475

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nopcommerce:store:4.30:*:*:*:*:*:*:*", "matchCriteriaId": "9CA4EBB8-852B-4530-96D2-AFB7B3A56E22", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "nopCommerce Store 4.30 is affected by cross-site scripting (XSS) in the Schedule tasks name field. This vulnerability can allow an attacker to inject the XSS payload in Schedule tasks and each time any user will go to that page of the website, the XSS triggers and attacker can able to steal the cookie according to the crafted payload."}, {"lang": "es", "value": "nopCommerce Store versi\u00f3n 4.30, est\u00e1 afectado por un ataque de tipo cross-site scripting (XSS) en el campo de nombre de tareas de Programadas. Esta vulnerabilidad puede permitir a un atacante inyectar una carga \u00fatil de tipo XSS en tareas Programadas y cada vez que un usuario vaya a esa p\u00e1gina del sitio web, los ataques de tipo XSS se desencadenar\u00e1n y el atacante pueden robar la cookie de acuerdo con la carga \u00fatil dise\u00f1ada"}], "id": "CVE-2020-29475", "lastModified": "2020-12-30T16:42:16.453", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-12-29T15:15:12.717", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/49093"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}