Vulnerability Note VU#405942

CS-Cart version 4.0.2 contains cross-site scripting vulnerabilities

Original Release date: 23 Jan 2014 | Last revised: 28 Jan 2014

Overview

CS-Cart version 4.0.2 and possibly earlier versions contain cross-site scripting (XSS) vulnerabilities (CWE-79).

Description

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CS-Cart version 4.0.2 and possibly earlier versions contain cross-site scripting (XSS) vulnerabilities. An attacker can inject arbitrary script via the vulnerable query string parameters settings_file and data_file of the ampie.swf, amline.swf, or amcolumn.swf files.

Impact

A remote unauthenticated attacker may be able to execute arbitrary script in the context of the end-user's browser session.

Solution

Apply Update

The vendor has released CS-Cart 4.1.1 to address the vulnerabilities. Users are advised to upgrade to CS-Cart 4.1.1 or later.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
CS-CartAffected22 Nov 201303 Dec 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N
Temporal 3.7 E:POC/RL:U/RC:UR
Environmental 0.9 CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Nikhil Srivastava from Techdefence Labs for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

  • CVE IDs: CVE-2013-7317
  • Date Public: 20 Jan 2013
  • Date First Published: 23 Jan 2014
  • Date Last Updated: 28 Jan 2014
  • Document Revision: 23

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.