CVE-2024-4348— osCommerce all-products cross site scripting
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2024-4348
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
osCommerce all-products cross site scripting
Source: NVD (National Vulnerability Database)
Vulnerability Description
A vulnerability, which was classified as problematic, was found in osCommerce 4. Affected is an unknown function of the file /catalog/all-products. The manipulation of the argument cat leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-262488. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
osCommerce 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
osCommerce是一套基于GNUGPL授权的开源在线购物电子商务解决方案。 osCommerce v4版本存在跨站脚本漏洞,该漏洞源于文件/catalog/all-products的参数cat会导致跨站脚本。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| - | osCommerce | 4 | - |
II. Public POCs for CVE-2024-4348
| # | POC Description | Source Link | Shenlong Link |
|---|---|---|---|
| 1 | A vulnerability, which was classified as problematic, was found in osCommerce 4. Affected is an unknown function of the file /catalog/all-products. The manipulation of the argument cat leads to cross site scripting. It is possible to launch the attack remotely. | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-4348.yaml | POC Details |
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2024-4348
请登录查看更多情报信息。
- Submit #320855: osCommerce ltd. osCommerce 4 Reflected XSSthird-party-advisory
- https://nvd.nist.gov/vuln/detail/CVE-2024-4348
Same Patch Batch · n/a · 2024-04-30 · 46 CVEs total
| CVE-2024-33371 | Desdev DedeCMS 安全漏洞 | |
| CVE-2020-5200 | Minerbabe 安全漏洞 | |
| CVE-2023-49473 | JF6000 Cloud Media Collaboration Processing Platform 固件V1.2.0和、软件版本V2.0.0 build 6245 安全漏洞 | |
| CVE-2019-19754 | Hiveon OS 安全漏洞 | |
| CVE-2019-19755 | ethOS 安全漏洞 | |
| CVE-2019-19753 | SimpleMiningOS 安全漏洞 | |
| CVE-2019-19751 | easyMINE 安全漏洞 | |
| CVE-2019-19752 | nvOC 安全漏洞 | |
| CVE-2023-50053 | Foundation 安全漏洞 | |
| CVE-2024-34088 | FRRouting 安全漏洞 | |
| CVE-2024-34149 | Bitcoin Core和Bitcoin Knots 安全漏洞 | |
| CVE-2024-33832 | OneNav 安全漏洞 | |
| CVE-2024-33383 | novel-plus 安全漏洞 | |
| CVE-2024-33332 | SpringBlade 安全漏洞 | |
| CVE-2024-33103 | DokuWiki 安全漏洞 | |
| CVE-2024-33437 | CSS Exfil Protection 安全漏洞 | |
| CVE-2024-33101 | ThinkSAAS 安全漏洞 | |
| CVE-2024-33436 | CSS Exfil Protection 安全漏洞 | |
| CVE-2024-33102 | ThinkSAAS 安全漏洞 | |
| CVE-2024-33831 | yapi 安全漏洞 |
Showing top 20 of 46 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: osCommerce
- CVE-2019-25497
osCommerce 2.3.4.1 SQL Injection via currency Parameter - CVE-2019-25496
osCommerce 2.3.4.1 SQL Injection via products_id Parameter - CVE-2019-25495
osCommerce 2.3.4.1 SQL Injection via reviews_id Parameter - CVE-2009-20006
osCommerce <= 2.2 Admin File Manager Arbitrary PHP Code Exec - CVE-2025-40674
Reflected Cross-Site Scripting (XSS) in osCommerce
Same vendor: n/a
- CVE-2026-8276
bettercap MySQL Server mysql_server.go integer coercion - CVE-2026-8275
bettercap zerogod IPP Service zerogod_ipp_primitives.go ippR - CVE-2026-8270
Open5GS SMF ogs_nas_parse_qos_rules denial of service - CVE-2026-8269
Open5GS SMF smf_nsmf_handle_create_sm_context denial of serv - CVE-2026-8268
Open5GS SMF OpenAPI_list_create denial of service
Same weakness: CWE-79
- CVE-2026-8262
Devs Palace ERP Online chart-save cross site scripting - CVE-2026-8256
Devs Palace ERP Online mr-save cross site scripting - CVE-2026-8255
Devs Palace ERP Online add_new_customer cross site scripting - CVE-2026-8254
Devs Palace ERP Online sales_save cross site scripting - CVE-2026-8253
Devs Palace ERP Online purchase_save cross site scripting
V. Comments for CVE-2024-4348
No comments yet