Critical9.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

PT-2024-84: Reflected Cross-Site Scripting (XSS) in Netcat CMS (netshop module)

Error type:

  • CWE-79:Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Vulnerability vector:

  • Base vulnerability score (CVSSv3.1): CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
  • Severity (CVSSv3.1): 8.4 (high)
  • Base vulnerability score (CVSSv4.0): CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
  • Severity (CVSSv4.0): 9.3 (critical)

Description:

The vulnerability was identified in Netcat (netshop module), version 6.4 Extra.

The discovered vulnerability allows an authorized attacker with the administrator role to execute arbitrary JavaScript code in the browser of the attacked user.

Vulnerability status: Confirmed by vendor

Date of vulnerability remediation: 20.08.2024

Recommendations:

  • Update to version or higher

Additional information:

Researcher: Aleksey Solovev (Positive Technologies)

Identifiers:

BDU:2024-06397

Vendor:

Netcat

Vulnerable product:

Netcat CMS

Vulnerable versions:

6.4 Extra