cnvd - cnvd-2021-01555

CNVD-2021-01555

Vulnerability from cnvd - Published: 2021-01-09

Title

nopCommerce跨站脚本漏洞（CNVD-2021-01555）

Description

nopCommerce是一套开源的通用电子商务平台。 nopCommerce Store 4.30版本存在跨站脚本漏洞，该漏洞源于Schedule tasks name字段未对XSS语句做有效过滤。此漏洞允许攻击者在计划任务中注入XSS负载，并且每次有任何用户进入网站的该页面时，XSS触发器和攻击者都可以根据特制的负载窃取cookie。

Severity

低

Formal description

厂商尚未提供漏洞修复方案，请关注厂商主页更新： https://www.nopcommerce.com/zh

Reference

https://nvd.nist.gov/vuln/detail/CVE-2020-29475

Impacted products

Name
nopCommerce nopCommerce Store 4.30

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-29475",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2020-29475"
    }
  },
  "description": "nopCommerce\u662f\u4e00\u5957\u5f00\u6e90\u7684\u901a\u7528\u7535\u5b50\u5546\u52a1\u5e73\u53f0\u3002\n\nnopCommerce Store 4.30\u7248\u672c\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eSchedule tasks name\u5b57\u6bb5\u672a\u5bf9XSS\u8bed\u53e5\u505a\u6709\u6548\u8fc7\u6ee4\u3002\u6b64\u6f0f\u6d1e\u5141\u8bb8\u653b\u51fb\u8005\u5728\u8ba1\u5212\u4efb\u52a1\u4e2d\u6ce8\u5165XSS\u8d1f\u8f7d\uff0c\u5e76\u4e14\u6bcf\u6b21\u6709\u4efb\u4f55\u7528\u6237\u8fdb\u5165\u7f51\u7ad9\u7684\u8be5\u9875\u9762\u65f6\uff0cXSS\u89e6\u53d1\u5668\u548c\u653b\u51fb\u8005\u90fd\u53ef\u4ee5\u6839\u636e\u7279\u5236\u7684\u8d1f\u8f7d\u7a83\u53d6cookie\u3002",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://www.nopcommerce.com/zh",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-01555",
  "openTime": "2021-01-09",
  "products": {
    "product": "nopCommerce nopCommerce Store 4.30"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-29475",
  "serverity": "\u4f4e",
  "submitTime": "2020-12-31",
  "title": "nopCommerce\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2021-01555\uff09"
}

CVE-2020-29475 (GCVE-0-2020-29475)

Vulnerability from cvelistv5 – Published: 2020-12-29 14:47 – Updated: 2024-08-04 16:55

Summary

nopCommerce Store 4.30 is affected by cross-site scripting (XSS) in the Schedule tasks name field. This vulnerability can allow an attacker to inject the XSS payload in Schedule tasks and each time any user will go to that page of the website, the XSS triggers and attacker can able to steal the cookie according to the crafted payload.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

https://www.exploit-db.com/exploits/49093

x_refsource_MISC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T16:55:10.353Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.exploit-db.com/exploits/49093"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "nopCommerce Store 4.30 is affected by cross-site scripting (XSS) in the Schedule tasks name field. This vulnerability can allow an attacker to inject the XSS payload in Schedule tasks and each time any user will go to that page of the website, the XSS triggers and attacker can able to steal the cookie according to the crafted payload."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-12-29T14:47:34",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.exploit-db.com/exploits/49093"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2020-29475",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "nopCommerce Store 4.30 is affected by cross-site scripting (XSS) in the Schedule tasks name field. This vulnerability can allow an attacker to inject the XSS payload in Schedule tasks and each time any user will go to that page of the website, the XSS triggers and attacker can able to steal the cookie according to the crafted payload."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.exploit-db.com/exploits/49093",
              "refsource": "MISC",
              "url": "https://www.exploit-db.com/exploits/49093"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2020-29475",
    "datePublished": "2020-12-29T14:47:34",
    "dateReserved": "2020-12-02T00:00:00",
    "dateUpdated": "2024-08-04T16:55:10.353Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2021-01555

CVE-2020-29475 (GCVE-0-2020-29475)

Tags

Sightings

Nomenclature