CVE-2024-35362 – Ecshop 3.6 contains a cross-site scripting (XSS... (How to Fix)

Q: What is the severity of CVE-2024-35362?

CVE-2024-35362 has a CVSS score of 5.4 (MEDIUM). Ecshop 3.6 contains a cross-site scripting (XSS) vulnerability in the article_cat.php file that allows attackers to inject malicious scripts into web pages. This affects all users of Ecshop 3.6 who access the vulnerable page, potentially leading to session hijacking or credential theft.

📋 TL;DR

Ecshop 3.6 contains a cross-site scripting (XSS) vulnerability in the article_cat.php file that allows attackers to inject malicious scripts into web pages. This affects all users of Ecshop 3.6 who access the vulnerable page, potentially leading to session hijacking or credential theft.

💻 Affected Systems

Products:

Ecshop

Versions: 3.6

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations with the article_cat.php functionality enabled.

📦 What is this software?

Ecshop by Shopex

View all CVEs affecting Ecshop →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, take over admin accounts, deface the website, or redirect users to malicious sites.

🟠

Likely Case

Attackers inject malicious scripts to steal user session cookies or credentials from users visiting the vulnerable page.

🟢

If Mitigated

With proper input validation and output encoding, the impact is limited to minor data display issues.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

XSS vulnerabilities are commonly weaponized in automated attacks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

1. Download the latest Ecshop version if available. 2. Replace the vulnerable article_cat.php file. 3. Apply input validation and output encoding to all user inputs.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to sanitize user inputs before processing.

Edit article_cat.php to add htmlspecialchars() or similar filtering around user inputs

Content Security Policy

all

Implement CSP headers to restrict script execution.

Add 'Content-Security-Policy: default-src 'self'' to HTTP headers

🧯 If You Can't Patch

Disable or restrict access to the article_cat.php functionality
Implement web application firewall (WAF) rules to block XSS payloads

🔍 How to Verify

Check if Vulnerable:

Test by injecting a simple XSS payload like <script>alert('test')</script> into parameters processed by article_cat.php

Check Version:

Check Ecshop version in admin panel or readme files

Verify Fix Applied:

Verify that injected scripts are properly encoded and do not execute in the browser

📡 Detection & Monitoring

Log Indicators:

Unusual parameter values containing script tags or JavaScript in article_cat.php requests

Network Indicators:

HTTP requests with suspicious script payloads to article_cat.php

SIEM Query:

source="web_logs" AND uri="*article_cat.php*" AND (param="*<script>*" OR param="*javascript:*")

📊 Metadata

CVE ID: CVE-2024-35362

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: May 22, 2024

Last Updated: April 28, 2025

🔗 References

https://github.com/shopex/ecshop/issues/6 Exploit,Issue Tracking,Third Party Advisory
https://github.com/shopex/ecshop/issues/6 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-35362, you might also want to check these: