CVE-2023-54364

State: PUBLISHED · Published: 2026-04-09 · Updated: 2026-04-10 · Assigner: VulnCheck

Description

Joomla HikaShop 4.7.4 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating GET parameters in the product filter endpoint. Attackers can craft malicious URLs containing XSS payloads in the from_option, from_ctrl, from_task, or from_itemid parameters to steal session tokens or login credentials when victims visit the link.

CWE

CWE-79 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected

Hikashop / Joomla HikaShop — v=4.7.4 [affected]

CVSS

4.0 score=5.1 severity=MEDIUM CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
3.1 score=6.1 severity=MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

https://www.exploit-db.com/exploits/51629 exploit
https://www.hikashop.com/ product
https://demo.hikashop.com/index.php/en/ product
https://www.vulncheck.com/advisories/joomla-hikashop-reflected-xss-via-product-filter third-party-advisory

Source

cvelistV5-main/cves/2023/54xxx/CVE-2023-54364.json