Valdersoft Shopping Cart cross-site scripting

valdersoftshoppingcart-xss (19846) The risk level is classified as MediumMedium Risk

Description:

Valdersoft Shopping Cart is vulnerable to cross-site scripting caused by improper handling of user-supplied information. A remote attacker could send a specially-crafted URL request to vulnerable scripts, such as the index.php script or the search_result.php script which, once the link is clicked, would be executed in the victim's Web browser within the security context of the hosting site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials, obtain sensitive information, or perform actions as the victim.

Platforms Affected:

  • Valdersoft, Valdersoft Shopping Cart 3.0

Remedy:

Upgrade to the latest version of Valdersoft Shopping Cart (3.0 or later), available from the Valdersoft Shopping Cart Web site. See References.

Consequences:

Gain Access

References:

  • Valdersoft Shopping Cart Web site, E-Commerce Solutions and Shopping Cart Software by VALDERSOFT at http://www.valdersoft.com/index.php.
  • BID-12916: Valdersoft Shopping Cart Multiple Input Validation Vulnerabilities
  • CVE-2005-0908: Multiple cross-site scripting (XSS) vulnerabilities in Valdersoft Shopping Cart 3.0 allow remote attackers to inject arbitrary web script or HTML via (1) the lang parameter to index.php or (2) the searchTopCategoryID parameter to search_result.php.
  • SECTRACK ID: 1013565: Valdersoft Shopping Cart Input Validation Holes Permit SQL Injection and Cross-Site Scripting Attacks

Reported:

Mar 27, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page