High8.8
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

PT-2024-96: Cross-Site Request Forgery (CSRF) and Reflected Cross-Site Scripting (XSS) in Netcat CMS (module netshop)

Error type:

  • CWE-79:Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CWE-352:Cross-Site Request Forgery (CSRF)

Vulnerability vector:

  • Base vulnerability score (CVSSv3.1): CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
  • Severity (CVSSv3.1): 8.4 (high)
  • Base vulnerability score (CVSSv4.0): CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
  • Severity (CVSSv4.0): 8.8 (high)

Description:

The vulnerability was identified in Netcat CMS (module netshop), version 6.4 Extra.

The vulnerability is related to cross-site request forgery.

The discovered vulnerability allows an authorized attacker with the administrator role to execute arbitrary JavaScript code in the browser of the attacked user.

Vulnerability status: Confirmed by vendor

Date of vulnerability remediation: 20.08.2024

Recommendations:

  • Update to version or higher

Additional information:

Researcher: Yan Chizhevskiy (Positive Technologies)

Identifiers:

BDU:2024-06383

Vendor:

Netcat

Vulnerable product:

Netcat CMS

Vulnerable versions:

6.4 Extra