Login Sign Up

CVE-2020-28456

7.3 HIGH
Cross-Site Scripting

📋 TL;DR

This vulnerability allows attackers to inject malicious scripts into the S-Cart admin panel, which could execute in administrators' browsers. It affects all S-Cart installations using core versions before 4.4. Administrators accessing the compromised admin panel are at risk.

💻 Affected Systems

Products:
  • S-Cart e-commerce platform
Versions: All versions before 4.4
Operating Systems: Any OS running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects the admin panel interface; customer-facing storefront is not directly vulnerable.

📦 What is this software?

S Cart by S Cart

View all CVEs affecting S Cart →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal admin session cookies, perform actions as administrators, deface the store, or steal customer data.

🟠

Likely Case

Attackers inject malicious scripts to steal admin credentials or session tokens, leading to unauthorized admin access.

🟢

If Mitigated

With proper input validation and output encoding, the XSS payloads would be neutralized, preventing script execution.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires tricking an admin into visiting a malicious link or interacting with injected content in the admin panel.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.4 and later

Vendor Advisory: https://github.com/s-cart/s-cart/releases/tag/v4.4

Restart Required: No

Instructions:

1. Backup your S-Cart installation and database. 2. Update S-Cart core to version 4.4 or later via composer update or manual upgrade. 3. Clear any caches and verify admin panel functionality.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation to sanitize user inputs in admin panel fields.

Modify S-Cart source code to add htmlspecialchars() or similar sanitization to vulnerable parameters

Content Security Policy

all

Implement CSP headers to restrict script execution sources in admin panel.

Add 'Content-Security-Policy' header with script-src directives in admin panel responses

🧯 If You Can't Patch

  • Restrict admin panel access to specific IP addresses using firewall rules or .htaccess restrictions.
  • Implement web application firewall (WAF) rules to detect and block XSS payloads in admin requests.

🔍 How to Verify

Check if Vulnerable:

Check your S-Cart version in admin panel or via composer show s-cart/core. If version is below 4.4, you are vulnerable.

Check Version:

composer show s-cart/core | grep version

Verify Fix Applied:

After updating, verify version is 4.4+ and test admin panel inputs with basic XSS payloads like <script>alert('test')</script> to ensure they are properly escaped.

📡 Detection & Monitoring

Log Indicators:

  • Unusual script tags or JavaScript in admin panel request logs
  • Multiple failed login attempts followed by successful admin access

Network Indicators:

  • HTTP requests containing script tags or JavaScript in admin panel URLs or parameters

SIEM Query:

source="web_logs" AND (uri="*/admin/*" AND (content="<script" OR content="javascript:"))

📊 Metadata

CVE ID: CVE-2020-28456
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-79
Published: December 15, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-28456, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)