CVE-2025-65592
📋 TL;DR
nopCommerce 4.90.0 has a stored cross-site scripting (XSS) vulnerability in product management functionality. Attackers can inject malicious scripts into product name and short description fields, which execute automatically when users view affected pages. This affects all nopCommerce 4.90.0 installations with product management functionality enabled.
💻 Affected Systems
- nopCommerce
📦 What is this software?
Nopcommerce by Nopcommerce
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, perform actions as administrators, deface the store, or redirect users to malicious sites, potentially leading to complete compromise of the e-commerce platform.
Likely Case
Attackers with product management access inject malicious scripts that execute when administrators or customers view products, leading to session hijacking, credential theft, or defacement of product pages.
If Mitigated
With proper input validation and output encoding, malicious scripts would be sanitized before storage and execution, preventing successful exploitation.
🎯 Exploit Status
Exploitation requires authenticated access to product management functionality. The vulnerability is simple to exploit once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.90.1 or later
Vendor Advisory: https://www.nopcommerce.com/
Restart Required: Yes
Instructions:
1. Backup your nopCommerce installation and database. 2. Download the latest version from nopCommerce.com. 3. Replace the affected files with patched versions. 4. Restart the application server. 5. Verify the fix by testing product management functionality.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to sanitize HTML/JavaScript in product name and description fields before storage.
Implement input sanitization in ProductController.cs and related models
Output Encoding
allApply proper output encoding when displaying product data in views to prevent script execution.
Use Html.Encode() or similar methods in product display views
🧯 If You Can't Patch
- Restrict access to product management functionality to trusted administrators only
- Implement a web application firewall (WAF) with XSS protection rules
🔍 How to Verify
Check if Vulnerable:
Test by inserting a simple XSS payload like <script>alert('test')</script> into product name or short description fields and checking if it executes when viewing the product.Check Version:
Check the nopCommerce version in the admin panel under System > System Information or examine the web.config file.Verify Fix Applied:
After patching, attempt the same XSS payload test and verify scripts are properly sanitized and do not execute.📡 Detection & Monitoring
Log Indicators:
- Unusual product name or description entries containing script tags or JavaScript code
- Multiple failed login attempts followed by product modifications
Network Indicators:
- Unexpected outbound connections from product pages to external domains
- Suspicious JavaScript execution in product-related HTTP responses
SIEM Query:
source="web_server" AND (uri="/Admin/Product/Edit" OR uri="/product/*") AND (message="*<script>*" OR message="*javascript:*")