SOTESHOP 8.3.4 allows malicious URLs to steal user info

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

5.1

SOTESHOP 8.3.4 allows malicious URLs to steal user info

CVE-2025-40701

Summary

An attacker can trick victims into visiting a malicious URL, allowing them to steal sensitive user information or take control of the victim's account. This can happen when a malicious link is shared with the victim, who then clicks on it in their browser. To protect against this, make sure to only visit trusted links and keep software up to date.

Original title

Original description

Reflected Cross-Site Scripting vulnerability in SOTESHOP, version 8.3.4. THis vulnerability allows an attacker execute JavaScript code in the victim's browser when a malicious URL with the 'id' parameter in '/adsTracker/checkAds' is sent to the victim. The vulnerability can be exploited to steal sensitive user information such as session cookies, or to perform actions on their behalf.

nvd CVSS4.0 5.1

Vulnerability type

CWE-79 Cross-site Scripting (XSS)

https://www.incibe.es/en/incibe-cert/notices/aviso/reflected-cross-site-scriptin...

Published: 23 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026