search menu icon-carat-right cmu-wordmark

CERT Coordination Center

CS-Cart version 4.0.2 contains cross-site scripting vulnerabilities

Vulnerability Note VU#405942

Original Release Date: 2014-01-23 | Last Revised: 2014-01-28


CS-Cart version 4.0.2 and possibly earlier versions contain cross-site scripting (XSS) vulnerabilities (CWE-79).


CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CS-Cart version 4.0.2 and possibly earlier versions contain cross-site scripting (XSS) vulnerabilities. An attacker can inject arbitrary script via the vulnerable query string parameters settings_file and data_file of the ampie.swf, amline.swf, or amcolumn.swf files.


A remote unauthenticated attacker may be able to execute arbitrary script in the context of the end-user's browser session.


Apply Update

The vendor has released CS-Cart 4.1.1 to address the vulnerabilities. Users are advised to upgrade to CS-Cart 4.1.1 or later.

Vendor Information

Affected   Unknown   Unaffected


Notified:  November 22, 2013 Updated:  December 03, 2013



Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group Score Vector
Base 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N
Temporal 3.7 E:POC/RL:U/RC:UR
Environmental 0.9 CDP:ND/TD:L/CR:ND/IR:ND/AR:ND



Thanks to Nikhil Srivastava from Techdefence Labs for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

CVE IDs: CVE-2013-7317
Date Public: 2013-01-20
Date First Published: 2014-01-23
Date Last Updated: 2014-01-28 15:24 UTC
Document Revision: 23

Sponsored by CISA.