XSS in Shopex Ecshop
CVE-2020-20640
Cross Site Scripting (XSS) vulnerability in ECShop 4.0 due to security filtering issues, in the user.php file, we can use the html entity encoding to bypass the security policy of the safety.php file, triggering the xss vulnerability.
Vulnerability class: XSS (Cross-Site Scripting)
EPSS: 0.010 (58.9th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 6.1 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N.
Affected products
- Shopex Ecshop — versions 4.0
- N/a — versions n/a
Weakness classification (CWE)
Public proof-of-concept exploits
References
- cve@mitre.org (Exploit, Third Party Advisory, x_refsource_MISC)
Frequently asked questions
- What is CVE-2020-20640?
- CVE-2020-20640 is a medium-severity vulnerability in Shopex Ecshop, classified under Cross-site Scripting. CVSS score: 6.1/10. Published 2021-06-28.
- How severe is CVE-2020-20640?
- Medium severity. CVSS v3 base score is 6.1 out of 10.
- Is CVE-2020-20640 known to be exploited?
- 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.