| VID |
21273 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The osCommerce installed on the Web server has multiple Cross-Site-Scripting vulnerabilities.
osCommerce is an online shop e-commerce solution under on going development by the open source community. osCommerce version 2.2ms1 and earlier allow for cross-site scripting attacks as remote attackers could create a malicious link to a site hosting osCommerce which contains hostile HTML and script code. These problems arise due to handling insufficiently user-supplied input passed to multiple osCommerce scripts. When a such a link is visited, attacker-supplied code could be interpreted in the web client of the user. This may make it possible to steal an unsuspecting user's cookie-based authentication credentials, as well as other sensitive information.
* References:
http://www.securityfocus.com/archive/1/315706
http://www.iproyectos.com/sections/advisory/index.php#section2
* Platforms Affected:
osCommerce version 2.2ms1 and earlier |
| Recommendation |
Upgrade to the latest version(2.2ms2 or later) of osCommerce, available from osCommerce download page at http://www.oscommerce.com/downloads |
| Related URL |
(CVE) |
| Related URL |
7151,7153,7155,7156,7158 (SecurityFocus) |
| Related URL |
(ISS) |
|
