CVE-2025-40701

Vulnerability

Description CVE-2025-40701 is a reflected Cross-Site Scripting (XSS) vulnerability in SOTESHOP, an online sales software, version 8.3.4. The flaw exists in the '/adsTracker/checkAds' endpoint where the 'id' parameter is not properly sanitized, allowing an attacker to inject arbitrary JavaScript code into the page response. This vulnerability was discovered by Gonzalo Aguilar García and has a CVSS v4.0 base score of 5.1 (Medium). [1]

Exploitation

To exploit this vulnerability, an attacker must craft a malicious URL containing a specially crafted 'id' parameter that includes JavaScript payload. This URL is then sent to the victim (e.g., via phishing or social engineering). The victim must click on the link while authenticated to the affected SOTESHOP instance. No prior authentication is required for the attacker, but victim interaction is necessary. [1]

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser within the context of the vulnerable SOTESHOP application. This can lead to theft of session cookies, enabling account takeover, or performing actions on behalf of the victim, such as modifying data or initiating transactions. [1]

Mitigation

The vendor (SOTE) has fixed this vulnerability in version 8.3.5. Users are strongly advised to upgrade to this patched version. There are no known workarounds. [1]