Full Report
CERT Polska has received a report about 2 vulnerabilities (CVE-2025-67683 and CVE-2025-67684) found in Quick.Cart software.
Analysis Summary
As a vulnerability research specialist, here is the summary for the reported flaws in Quick.Cart software, structured for actionable intelligence.
***
# Vulnerability: Quick.Cart Cross-Site Scripting and Path Traversal Flaws
## CVE Details
- CVE ID: CVE-2025-67683
- CVSS Score: Severity score not publicly available in the provided text.
- CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation - XSS)
- CVE ID: CVE-2025-67684
- CVSS Score: Severity score not publicly available in the provided text.
- CWE: CWE-22 (Improper Limitation of a Pathname to a Restricted Directory - Path Traversal)
## Affected Systems
- Products: OpenSolution Quick.Cart
- Versions: **6.7** (Confirmed vulnerable; older/newer versions may also be affected as the vendor did not provide a range).
- Configurations: Not specified, but likely applies to standard installations.
## Vulnerability Description
**CVE-2025-67683 (XSS):**
The vulnerability resides in the handling of the `sSort` parameter. An attacker can inject malicious JavaScript via a crafted URL. When a victim accesses this URL, the script executes in the victim's browser (Reflected XSS).
**CVE-2025-67684 (Path Traversal/LFI leading to RCE):**
This flaw exists within the theme selection mechanism for privileged users. The system insufficiently validates uploaded file extensions, allowing a privileged user to upload arbitrary file content. Successful exploitation involves including and executing uploaded PHP code, leading to Remote Code Execution (RCE) on the server.
## Exploitation
- Status: Undocumented in the source text. **Assume PoC availability** until proven otherwise for high-impact flaws like RCE.
- Complexity: **Unknown** (Likely Medium for XSS; Medium/High for RCE requiring privilege escalation or existing access).
- Attack Vector:
- CVE-2025-67683: Network (via malicious link)
- CVE-2025-67684: Local/Adjacent (requires privileged user access)
## Impact
| CVE | Confidentiality | Integrity | Availability |
| :--- | :--- | :--- | :--- |
| CVE-2025-67683 (XSS) | High (Session Hijacking, Data Theft) | High (Code Execution in Browser Context) | Low |
| CVE-2025-67684 (RCE) | High (Full System Compromise) | High (Code Execution, System Modification) | High (System Downtime) |
## Remediation
### Patches
- **No specific patch version information provided** by the vendor or in the advisory. Users must check for updates from OpenSolution.
### Workarounds
- **For CVE-2025-67684 (RCE via theme upload):** Restrict theme upload functionality strictly to trusted administrators only, or temporarily disable theme modification capabilities if possible.
- **General Mitigation:** Apply strict input validation and output encoding on all user-controllable parameters, particularly `sSort`.
## Detection
- **Indicators of Compromise (IoCs):**
- Unusual execution of JavaScript on the frontend linked to interactions with Quick.Cart features (for XSS).
- The presence of unexpected PHP files in directories intended for themes or uploads (for RCE).
- **Detection Methods and Tools:**
- Review web server access logs for unusual query strings containing script tags or directory traversal sequences (`../`).
- Security scanners configured to test for reflected XSS payloads targeting known vulnerable parameters (`sSort`).
## References
- Vendor Advisories: None provided; vendor failed to respond with details during coordination.
- Relevant links:
- CERT Polska report: hxxps://cert.pl/en/news/2026/01/quick-cart-vulnerabilities
- CVE Records: hxxps://www.cve.org/CVERecord?id=CVE-2025-67683
- CVE Records: hxxps://www.cve.org/CVERecord?id=CVE-2025-67684