CVE-2025-47289

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-47289

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-47289.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-47289

Related

GHSA-98qq-m8qj-vvgj

Published

2025-06-02T11:15:22Z

Modified

2025-06-03T03:50:43.744995Z

Summary

[none]

Details

CE Phoenix is a free, open-source eCommerce platform. A stored cross-site scripting (XSS) vulnerability was discovered in CE Phoenix versions 1.0.9.9 through 1.1.0.2 where an attacker can inject malicious JavaScript into the testimonial description field. Once submitted, if the shop owner (admin) approves the testimonial, the script executes in the context of any user visiting the testimonial page. Because the session cookies are not marked with the HttpOnly flag, they can be exfiltrated by the attacker — potentially leading to account takeover. Version 1.1.0.3 fixes the issue.

References

Affected packages

Git / github.com/ce-phoenixcart/phoenixcart

Affected ranges

Type: GIT
Repo: https://github.com/ce-phoenixcart/phoenixcart
Events: Introduced

a7f3daf19850e1643579769185f30a3b20aaf25e

Last affected

6e835fab47584f7b24df9ac4396e7527fc5fa572

Affected versions

v1.*

v1.0.9.10

v1.0.9.9

v1.1.0.0

v1.1.0.1

v1.1.0.2