CVE-2024-12991 describes a cross-site scripting (XSS) vulnerability discovered in DBShop商城系统, specifically affecting versions 3.3 Release 231225 through 3.3. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user sessions and data. A fix is available in version 3.3.1, and the vulnerability has been publicly disclosed.
Successful exploitation of CVE-2024-12991 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the DBShop商城系统. This can lead to various malicious outcomes, including session hijacking, defacement of the website, redirection to phishing sites, and theft of sensitive user data such as login credentials or personal information. The vulnerability's remote accessibility significantly broadens the potential attack surface, as it can be triggered without requiring local access to the system. The disclosed nature of the exploit increases the likelihood of widespread exploitation.
CVE-2024-12991 has been publicly disclosed, indicating a higher probability of exploitation. The vulnerability is present in the /home-order file and can be triggered by manipulating the orderStatus parameter with a crafted payload containing JavaScript code. No known active campaigns targeting this specific vulnerability have been reported as of the publication date, but the public availability of the exploit increases the risk of opportunistic attacks.
Exploit Status
EPSS
0.20% (42% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-12991 is to immediately upgrade DBShop商城系统 to version 3.3.1 or later. If upgrading is not feasible in the short term, consider implementing input validation and output encoding on the orderStatus parameter to sanitize user-supplied data. Web application firewalls (WAFs) configured with rules to detect and block XSS payloads targeting the /home-order endpoint can provide an additional layer of defense. Carefully review and update any existing security policies to address XSS vulnerabilities.
Update to a patched version or apply a solution that correctly filters or escapes user input in the orderStatus parameter of the /home-order file to prevent the execution of malicious JavaScript code. Because the vendor has not responded, it is recommended to contact the community for an unofficial patch or implement a custom solution. Validating and sanitizing all user inputs is a good security practice.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-12991 is a cross-site scripting (XSS) vulnerability affecting DBShop商城系统 versions 3.3 Release 231225–3.3, allowing attackers to inject malicious scripts.
You are affected if you are using DBShop商城系统 versions 3.3 Release 231225 through 3.3. Upgrade to 3.3.1 to mitigate the risk.
Upgrade DBShop商城系统 to version 3.3.1 or later. Implement input validation and output encoding as a temporary workaround.
While no active campaigns are confirmed, the vulnerability is publicly disclosed, increasing the risk of exploitation.
Contact the vendor directly as they have not responded to early disclosure attempts. Check their official website or support channels for updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.