CS-Cart version 4.0.2 and possibly earlier versions contain cross-site scripting (XSS) vulnerabilities (CWE-79).
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CS-Cart version 4.0.2 and possibly earlier versions contain cross-site scripting (XSS) vulnerabilities. An attacker can inject arbitrary script via the vulnerable query string parameters settings_file and data_file of the ampie.swf, amline.swf, or amcolumn.swf files.
A remote unauthenticated attacker may be able to execute arbitrary script in the context of the end-user's browser session.
Thanks to Nikhil Srivastava from Techdefence Labs for reporting this vulnerability.
This document was written by Jared Allar.
|Date First Published:||2014-01-23|
|Date Last Updated:||2014-01-28 15:24 UTC|