search menu icon-carat-right cmu-wordmark

CERT Coordination Center

CS-Cart version 4.0.2 contains cross-site scripting vulnerabilities

Vulnerability Note VU#405942

Original Release Date: 2014-01-23 | Last Revised: 2014-01-28

Overview

CS-Cart version 4.0.2 and possibly earlier versions contain cross-site scripting (XSS) vulnerabilities (CWE-79).

Description

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CS-Cart version 4.0.2 and possibly earlier versions contain cross-site scripting (XSS) vulnerabilities. An attacker can inject arbitrary script via the vulnerable query string parameters settings_file and data_file of the ampie.swf, amline.swf, or amcolumn.swf files.

Impact

A remote unauthenticated attacker may be able to execute arbitrary script in the context of the end-user's browser session.

Solution

Apply Update

The vendor has released CS-Cart 4.1.1 to address the vulnerabilities. Users are advised to upgrade to CS-Cart 4.1.1 or later.

Vendor Information

405942
 
Affected   Unknown   Unaffected

CS-Cart

Notified:  November 22, 2013 Updated:  December 03, 2013

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N
Temporal 3.7 E:POC/RL:U/RC:UR
Environmental 0.9 CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Nikhil Srivastava from Techdefence Labs for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

CVE IDs: CVE-2013-7317
Date Public: 2013-01-20
Date First Published: 2014-01-23
Date Last Updated: 2014-01-28 15:24 UTC
Document Revision: 23

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.