CVE-2024-4348

MEDIUM NUCLEI

osCommerce 4 - Cross-Site Scripting via /catalog/all-products cat Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-4348. PoCs published by halilkirazkaya. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains functional exploit code for multiple CVEs, including remote file inclusion, path traversal, and unauthorized file deletion vulnerabilities. Each PoC includes HTTP requests or commands to exploit the respective vulnerabilities.

Description

A vulnerability, which was classified as problematic, was found in osCommerce 4. Affected is an unknown function of the file /catalog/all-products. The manipulation of the argument cat leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-262488. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Exploits (1)

github WORKING POC 4 stars
by halilkirazkaya · poc
https://github.com/halilkirazkaya/cve-poc-garage/tree/main/2024/CVE-2024-4348.md

This repository contains functional exploit code for multiple CVEs, including remote file inclusion, path traversal, and unauthorized file deletion vulnerabilities. Each PoC includes HTTP requests or commands to exploit the respective vulnerabilities.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: Various (WordPress plugins, QNAP Photo Station, IBM Data Risk Manager, etc.)
No auth needed
Prerequisites: Network access to the target system
devstral-2 · analyzed Feb 27, 2026 Full analysis →

Nuclei Templates (1)

osCommerce v4.0 - Cross-site Scripting
MEDIUMVERIFIEDby s4e-io
Shodan: html:"osCommerce"

References (3)

Core 3
Core References
Permissions Required, VDB Entry vdb-entry technical-description
https://vuldb.com/?id.262488
Permissions Required, VDB Entry signature permissions-required
https://vuldb.com/?ctiid.262488
Permissions Required, VDB Entry third-party-advisory
https://vuldb.com/?submit.320855

Scores

CVSS v3 4.3
EPSS 0.0183
EPSS Percentile 76.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
n/a/osCommerce 4
Published Apr 30, 2024
Tracked Since Feb 18, 2026