CVE-2020-24026 — MEDIUM (6.1)

Vulnerability Description

TinyShop, a free and open source mall based on RageFrame2, has a stored XSS vulnerability that affects version 1.2.0. TinyShop allows XSS via the explain_first and again_explain parameters of the /evaluate/index.php page. The vulnerability may be exploited remotely, resulting in cross-site scripting (XSS) or information disclosure.

CVSS Score

6.1

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Tinyshop Project	Tinyshop	1.2.0

Related Weaknesses (CWE)

CWE-79

References

https://github.com/jianyan74/TinyShopThird Party Advisory
https://github.com/jianyan74/TinyShop/issues/14ExploitIssue TrackingThird Party Advisory
https://github.com/stavyan/TinyShop-UniAppProductThird Party Advisory
https://github.com/jianyan74/TinyShopThird Party Advisory
https://github.com/jianyan74/TinyShop/issues/14ExploitIssue TrackingThird Party Advisory
https://github.com/stavyan/TinyShop-UniAppProductThird Party Advisory

FAQ

What is CVE-2020-24026?

CVE-2020-24026 is a vulnerability with a CVSS score of 6.1 (MEDIUM). TinyShop, a free and open source mall based on RageFrame2, has a stored XSS vulnerability that affects version 1.2.0. TinyShop allows XSS via the explain_first and again_explain parameters of the /eva...

How severe is CVE-2020-24026?

CVE-2020-24026 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-24026?

Check the references section above for vendor advisories and patch information. Affected products include: Tinyshop Project Tinyshop.