CVE-2025-9103

LOW EPSS 15.7%

Published Aug 18, 202510mo ago · Modified Jun 17, 20261w ago

1.9 CVSS 4.0

Low

Published Aug 18, 2025 10mo ago

Last Modified Jun 17, 2026 1w ago

Description

A vulnerability was detected in ZenCart 2.1.0. Affected by this vulnerability is an unknown functionality of the component CKEditor. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The vendor declares this as "intended behavior, allowed for authorized administrators".

CVSS Details

Base Score

1.9

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector Network

Attack Complexity Low

Privileges Required High

User Interaction P

Scope X

Threat Intelligence

EPSS Exploit Probability

15.7% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 2

CWE-79 Cross-site Scripting Injection

CWE-94 Improper Control of Generation of Code (Code Injection) Injection

References 5

gist.github.com https://gist.github.com/0xHamy/b2674eeffd1f73af96d29f152c47bcbd
hkohi.ca https://hkohi.ca/vulnerability/28
vuldb.com https://vuldb.com/?ctiid.320425
vuldb.com https://vuldb.com/?id.320425
vuldb.com https://vuldb.com/?submit.628298

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.