CVE-2024-58296

CVSS

No CVSS.

C

E Phoenix v3.0.1 contains a stored cross-site scripting vulnerability in the currencies administration panel that allows attackers to inject malicious scripts. Attackers can insert XSS payloads in the title field to execute arbitrary JavaScript when administrators view the currencies page.

References

Link	Resource
https://demos6.softaculous.com/CE_Phoenixx3r6jqi4kl/admin/currencies.php
https://phoenixcart.org/
https://www.exploit-db.com/exploits/52015
https://www.softaculous.com/apps/ecommerce/CE_Phoenix
https://www.vulncheck.com/advisories/ce-phoenix-v-stored-cross-site-scripting-via-currencies-administration

Configurations

No configuration.

History

12 Dec 2025, 15:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-12-11 22:15

Updated : 2025-12-12 15:17

NVD link : CVE-2024-58296

Mitre link : CVE-2024-58296

CVE.ORG link : CVE-2024-58296

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2024-58296", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-12-11T22:15:50.740", "references": [{"url": "https://demos6.softaculous.com/CE_Phoenixx3r6jqi4kl/admin/currencies.php", "source": "[email protected]"}, {"url": "https://phoenixcart.org/", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/52015", "source": "[email protected]"}, {"url": "https://www.softaculous.com/apps/ecommerce/CE_Phoenix", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/ce-phoenix-v-stored-cross-site-scripting-via-currencies-administration", "source": "[email protected]"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "CE Phoenix v3.0.1 contains a stored cross-site scripting vulnerability in the currencies administration panel that allows attackers to inject malicious scripts. Attackers can insert XSS payloads in the title field to execute arbitrary JavaScript when administrators view the currencies page."}], "lastModified": "2025-12-12T15:17:31.973", "sourceIdentifier": "[email protected]"}