| タイトル | kirilkirkov Ecommerce-CodeIgniter-Bootstrap master Cross Site Scripting |
|---|
| 説明 | ## Description
Ecommerce-CodeIgniter-Bootstrap contains a stored cross-site scripting vulnerability in the newsletter subscription flow. An unauthenticated attacker can submit a newsletter subscription request with a crafted `User-Agent` header. The application stores the attacker-controlled browser metadata in the `subscribed` table.
The administrator subscribed emails page later renders the stored `browser` value without output encoding. When an administrator visits the subscribed emails page, the stored payload can execute in the backend context.
## Technical Details
- Affected component: `application/core/MY_Controller.php`, `application/modules/admin/views/settings/emails.php`
- Storage flow: newsletter subscription handling in `checkForPostRequests()`
- Admin sink: `/index.php/admin/emails`
- Weakness: `CWE-79`
- CVSS v3.1: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N`
- Severity: `High`
- Published: `2026-05-20`
- Patched version / fix commit: `23105f25dadf57b4314fc015a63a7c6e910c89df`
- GitHub Security Advisory: https://github.com/kirilkirkov/Ecommerce-CodeIgniter-Bootstrap/security/advisories/GHSA-v69c-5xg5-q7r8
- Vendor fix: https://github.com/kirilkirkov/Ecommerce-CodeIgniter-Bootstrap/commit/23105f25dadf57b4314fc015a63a7c6e910c89df |
|---|
| ソース | ⚠️ https://github.com/kirilkirkov/Ecommerce-CodeIgniter-Bootstrap/security/advisories/GHSA-v69c-5xg5-q7r8 |
|---|
| ユーザー | Anonymous User |
|---|
| 送信 | 2026年06月02日 10:06 (1 月 ago) |
|---|
| モデレーション | 2026年07月03日 19:24 (1 month later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 376149 [kirilkirkov Ecommerce-CodeIgniter-Bootstrap 迄 213babdbaa949e94557246414db0130e01394517 Subscribed Emails Admin Page MY_Controller.php checkForPostRequests User-Agent クロスサイトスクリプティング] |
|---|
| ポイント | 20 |
|---|