VYPR
← All advisories
Low severityNVD Advisory· Published Sep 23, 2025· Updated Sep 24, 2025

CVE-2025-57407

CVE-2025-57407

Description

A stored cross-site scripting (XSS) vulnerability in the Admin Log Viewer of S-Cart <=10.0.3 allows a remote authenticated attacker to inject arbitrary web script or HTML via a crafted User-Agent header. The script is executed in an administrator's browser when they view the security log page, which could lead to session hijacking or other malicious actions.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS in S-Cart <=10.0.3 Admin Log Viewer allows remote authenticated attacker to inject arbitrary script via User-Agent header, executed when admin views logs.

Vulnerability

Description A stored cross-site scripting (XSS) vulnerability exists in the Admin Log Viewer component of S-Cart versions up to 10.0.3. The application logs HTTP request headers, including the User-Agent, without proper sanitization. An authenticated attacker can craft a malicious User-Agent string containing arbitrary JavaScript or HTML, which is then stored in the security logs. When an administrator views the log page, the payload executes in their browser context [1]. The root cause is the lack of HTML escaping when displaying the user_agent field in the admin log view [3].

Attack

Vector and Exploitation The vulnerability is exploitable by a remote authenticated attacker with minimal privileges. The attacker sends a request to the S-Cart application with a malicious User-Agent header. The request is logged, and the payload is stored. The attacker does not need direct access to the admin panel; instead, they rely on an administrator navigating to the security log page. The attack does not require any special network position beyond being able to send HTTP requests to the application [1].

Impact

Successful exploitation allows the attacker to execute arbitrary scripts in the context of an administrator's browser. This can lead to session hijacking, exposure of sensitive data displayed on the admin panel, or other malicious actions such as forging admin requests. The impact is heightened because the administrator has elevated privileges, potentially compromising the entire application [1].

Mitigation

Status The vulnerability has been patched in versions after 10.0.3. The fix involves using htmlspecialchars() on the user_agent field before display, as demonstrated in commit e9848706 by gp247net/core [2][4]. Users are strongly advised to upgrade to the latest version. No workarounds are documented; however, restricting access to the admin log viewer to trusted administrators only can reduce risk.

References
  1. NVD - CVE-2025-57407
  2. Release Fix CVE-2025-57407 · gp247net/core
  3. core/src/Admin/Controllers/AdminLogController.php at 7c9aa42761be5fd0131c61dbe2b5323beb96d5dd · s-cart/core
  4. Fix xss admin log · gp247net/core@e984870

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
s-cart/corePackagist
<= 9.0.5
gp247/corePackagist
< 1.1.241.1.24

Affected products

2
  • S-Cart/S-Cartdescription
  • S-Cart/S Cartllm-create
    Range: <=10.0.3

Patches

1
e9848706b41d

Fix xss admin log

https://github.com/gp247net/coregp247Aug 5, 2025via ghsa
commit
2 files changed · +3 2
  • src/Controllers/AdminLogController.php+1 1 modified
    @@ -84,7 +84,7 @@ public function index()
                 'method' => '<span class="badge bg-' . (AdminLog::$methodColors[$row['method']] ?? '') . '">' . $row['method'] . '</span>',
                 'path' => '<code>' . $row['path'] . '</code>',
                 'ip' => $row['ip'],
-                'user_agent' => $row['user_agent'],
+                'user_agent' => htmlspecialchars($row['user_agent']),
                 'input' => htmlspecialchars($row['input']),
                 'created_at' => $row['created_at'],
                 'action' => $action,
  • src/Middleware/LogOperation.php+2 1 modified
    @@ -32,9 +32,10 @@ public function handle(Request $request, \Closure $next)
             ];
 
             try {
+                $log = gp247_clean(data:$log, hight: true);
                 AdminLog::create($log);
             } catch (\Throwable $exception) {
-                // pass
+                gp247_report($exception->getMessage());
             }
         }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.