Vulnerability Note VU#924124
X-Cart contains multiple vulnerabilities
X-Cart versions 5.1.6 through 5.1.10 are vulnerable to cross-site scripting (XSS), and versions 5.1.10 and below are vulnerable to authorization bypass.
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2015-0950
X-Cart versions 5.1.6 through 5.1.10 contain a reflected cross-site scripting (XSS) vulnerability. An attacker can inject arbitrary script via the query string parameter substring in admin.php.
A remote, unauthenticated attacker may be able to execute arbitrary script in the context of the end-user's browser session. A remote, authenticated attacker may be able to obtain or remove data associated with other users' accounts.
Apply an update
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|X-Cart||Affected||03 Feb 2015||02 Apr 2015|
CVSS Metrics (Learn More)
Thanks to Yasser Ali for reporting this vulnerability.
This document was written by Joel Land.
- CVE IDs: CVE-2015-0950 CVE-2015-0951
- Date Public: 02 Apr 2015
- Date First Published: 02 Apr 2015
- Date Last Updated: 02 Apr 2015
- Document Revision: 13
If you have feedback, comments, or additional information about this vulnerability, please send us email.