CVE-2025-57407: 
PHP vulnerability analysis and mitigation

A stored cross-site scripting (XSS) vulnerability exists in the Admin Log Viewer of S-Cart versions 10.0.3 and earlier. The vulnerability was discovered and disclosed on September 23, 2025. The issue allows a remote authenticated attacker to inject arbitrary web script or HTML via a crafted User-Agent header (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The issue is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability exists in the Admin Log Viewer component where user input from the User-Agent header is not properly sanitized before being displayed in the security log page (NVD).

When exploited, the vulnerability allows an attacker to execute malicious JavaScript code in an administrator's browser when they view the security log page. This could potentially lead to session hijacking or other malicious actions in the context of the administrator's session (NVD).

A fix for this vulnerability has been released in version 1.1.24 of the software. Users are advised to upgrade to this version or later to address the security issue (GitHub Release).