CVE-2020-29475 in nopCommerce
Summary
by MITRE • 12/30/2020
nopCommerce Store 4.30 is affected by cross-site scripting (XSS) in the Schedule tasks name field. This vulnerability can allow an attacker to inject the XSS payload in Schedule tasks and each time any user will go to that page of the website, the XSS triggers and attacker can able to steal the cookie according to the crafted payload.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/24/2026
The nopCommerce e-commerce platform version 4.30 contains a cross-site scripting vulnerability within its schedule tasks functionality, specifically in the name field parameter. This vulnerability falls under the Common Weakness Enumeration category CWE-79 - Improper Neutralization of Input During Web Page Generation, which represents one of the most prevalent web application security flaws. The issue manifests when malicious input is submitted through the schedule task name field without proper sanitization or validation mechanisms. When users navigate to pages containing these compromised schedule tasks, the stored XSS payload executes within their browser context, creating a persistent threat vector that can be exploited across multiple user sessions.
The operational impact of this vulnerability extends beyond simple script execution as it enables attackers to perform session hijacking and cookie theft operations. The XSS payload can be crafted to steal session cookies, authentication tokens, or other sensitive user data, allowing unauthorized access to administrative accounts or user sessions. This vulnerability represents a significant risk to the platform's security posture since schedule tasks are typically managed by administrators with elevated privileges, making the potential attack surface particularly valuable for threat actors seeking persistent access. The vulnerability operates through the standard XSS attack pattern where malicious code is stored on the server and subsequently served to other users, creating a chain reaction of compromised sessions.
The exploitation of this vulnerability requires minimal technical expertise and can be accomplished through various automated tools available in the cybersecurity community. Attackers can construct payloads that redirect users to malicious domains, steal cookies using document.cookie access, or inject beaconing scripts for command and control communication. The attack vector aligns with ATT&CK technique T1566.002 - Phishing: Spearphishing Attachment, as it involves tricking users into visiting compromised pages where the XSS executes automatically. Security professionals should note that this vulnerability does not require authentication to set up initially, as attackers can inject malicious code through legitimate administrative interfaces or by leveraging existing access to schedule task management features.
Mitigation strategies for this vulnerability should include immediate implementation of input validation and output encoding mechanisms within the schedule tasks name field processing. The platform requires proper sanitization of user inputs before storage and rendering, utilizing established security libraries that can neutralize potentially malicious content. Organizations should implement Content Security Policy headers to limit script execution permissions and provide additional protection layers against XSS attacks. Regular security audits and input validation reviews should be conducted to identify similar vulnerabilities in other application components. Patch management procedures must be prioritized to ensure timely deployment of vendor security updates, as this vulnerability represents a known issue that requires immediate remediation. The implementation of web application firewalls and intrusion detection systems can provide additional monitoring capabilities to detect and prevent exploitation attempts against this specific XSS vector.