CVE Catalog

CVE-2021-42193

MediumCVSS 6.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.23%

13th percentile - higher than 13% of all known CVEs

Summary

nopCommerce 4.40.3 is vulnerable to XSS in the Product Name field at /Admin/Product/Edit/[id]. Each time a user views the product in the shop, the XSS payload fires.

Risk Assessment

An attacker can inject a malicious script that executes in every user's browser when viewing the product page, potentially leading to session theft, redirects, or data theft.

Recommendation

Immediately update nopCommerce to the latest version and apply proper input filtering and encoding for the Product Name field.

Original NVD description (English source)

nopCommerce 4.40.3 is vulnerable to XSS in the Product Name at /Admin/Product/Edit/[id]. Each time a user views the product in the shop, the XSS payload fires.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS