CVE-2025-40679

CVE-2025-40679: HTML Injection in Isshue by Bdtask

The vulnerability is an HTML injection flaw in the Isshue eCommerce platform by Bdtask. The root cause is the lack of proper validation of user input supplied via the 'product_name' parameter. An attacker sends a crafted POST request to the endpoint '/category_product_search' in order to inject arbitrary HTML content [1].

Exploitation

Method

Exploitation does not require authentication, as the component is publicly accessible. The attack vector is network-based with low complexity; no privileges are needed. A remote unauthenticated attacker can inject HTML by manipulating the 'product_name' parameter in the POST request to the vulnerable endpoint [1].

Impact

Successful exploitation enables the attacker to execute arbitrary HTML or script code in the victim's browser session. This can lead to defacement, phishing, or session-related attacks. The CVSS v4.0 base score is 5.1 (Medium) with the vector AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N, indicating a limited impact on integrity but no direct confidentiality breach [1].

Mitigation

As of the publication date, no official patch or vendor-provided solution has been reported. Users are advised to implement input sanitization for the 'product_name' parameter and apply general web application firewall rules to mitigate injection attempts until a permanent fix is available [1].