CVE-2024-58304
HIGHSPA-CART CMS 1.9.0.3 - XSS
Title source: llmDescription
SPA-CART CMS 1.9.0.3 contains a stored cross-site scripting vulnerability in the product description parameter that allows authenticated administrators to inject malicious scripts. Attackers can submit JavaScript payloads through the 'descr' parameter in the product edit form to execute arbitrary code in administrative users' browsers.
Exploits (1)
Scores
CVSS v3
7.5
EPSS
0.0003
EPSS Percentile
8.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-79
Status
published
Products (1)
SPA-Cart/SPA-CART CMS
1.9.0.3
Published
Dec 11, 2025
Tracked Since
Feb 18, 2026