CVE-2004-0681

Comersus Cart 5.09 - Cross-Site Scripting via Message Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2004-0681. PoCs published by Thomas Ryan.

AI-analyzed exploit summary This exploit demonstrates a cross-site scripting (XSS) vulnerability in Comersus Cart 5.09 via the 'message' parameter in the backofficeLite interface. The PoC shows how arbitrary JavaScript can be injected and executed in the context of a victim's browser.

Description

Multiple cross-site scripting (XSS) vulnerabilities in (1) comersus_customerAuthenticateForm.asp, (2) comersus_backoffice_message.asp, (3) comersus_supportError.asp, or (4) comersus_message.asp in Comersus Cart 5.09 allow remote attackers to execute web script as other users via the message parameter.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Thomas Ryan · textwebappsasp
https://www.exploit-db.com/exploits/24261

This exploit demonstrates a cross-site scripting (XSS) vulnerability in Comersus Cart 5.09 via the 'message' parameter in the backofficeLite interface. The PoC shows how arbitrary JavaScript can be injected and executed in the context of a victim's browser.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Comersus Cart 5.09
No auth needed
Prerequisites: Access to the target URL · Victim interaction to trigger the XSS payload
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/16646
Exploit, Patch vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/10674
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=108922169327403&w=2

Scores

EPSS 0.0204
EPSS Percentile 78.7%

Details

Status published
Products (1)
comersus_open_technologies/comersus_cart 5.09
Published Aug 06, 2004
Tracked Since Feb 18, 2026