CVE-2025-57407

5.4 MEDIUM
Published: September 23, 2025 Modified: October 08, 2025
View on NVD

Description

A stored cross-site scripting (XSS) vulnerability in the Admin Log Viewer of S-Cart <=10.0.3 allows a remote authenticated attacker to inject arbitrary web script or HTML via a crafted User-Agent header. The script is executed in an administrator's browser when they view the security log page, which could lead to session hijacking or other malicious actions.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/gp247net/core/releases/tag/1.1.24
Source: cve@mitre.org
Release Notes
https://github.com/s-cart/core/blob/7c9aa42761be5fd0131c61dbe2b5323beb96d5dd/src/Admin/Controllers/AdminLogController.php
Source: cve@mitre.org
Product

2 reference(s) from NVD

Quick Stats

CVSS v3 Score
5.4 / 10.0
EPSS (Exploit Probability)
0.0%
16th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-79

Affected Vendors

gp247

Related CVEs

CVE-2025-69261 N/A
CVE-2025-69257 6.7
CVE-2025-69210 N/A
CVE-2025-66823 N/A
CVE-2025-50343 N/A