CVE-2024-58304

HIGH

SPA-CART CMS 1.9.0.3 - Authenticated Stored Cross-Site Scripting via Product Description Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-58304. PoCs published by Eren Sen.

AI-analyzed exploit summary This is a proof-of-concept for a stored XSS vulnerability in SPA-CART CMS version 1.9.0.3. The exploit demonstrates how an attacker can inject malicious JavaScript into the 'descr' parameter, which is then stored and executed when accessed.

Description

SPA-CART CMS 1.9.0.3 contains a stored cross-site scripting vulnerability in the product description parameter that allows authenticated administrators to inject malicious scripts. Attackers can submit JavaScript payloads through the 'descr' parameter in the product edit form to execute arbitrary code in administrative users' browsers.

Exploits (1)

exploitdb WORKING POC
by Eren Sen · textwebappsphp
https://www.exploit-db.com/exploits/51919

This is a proof-of-concept for a stored XSS vulnerability in SPA-CART CMS version 1.9.0.3. The exploit demonstrates how an attacker can inject malicious JavaScript into the 'descr' parameter, which is then stored and executed when accessed.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: SPA-CART CMS 1.9.0.3
Auth required
Prerequisites: Access to admin panel · Valid session cookies
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/51919

Scores

CVSS v3 7.5
EPSS 0.0002
EPSS Percentile 4.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
SPA-Cart/SPA-CART CMS 1.9.0.3
Published Dec 11, 2025
Tracked Since Feb 18, 2026