1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Home
  2. Security
  3. Security Lab
  4. Latest Threats
  5. Vulnerability Descriptions
  6. SA32353

cpCommerce Multiple Cross-Site Scripting Vulnerabilities

Report ID: SA32353
Source: Secunia
Date of Discovery: 20.10.2008
Criticality: Low
Affects:
cpCommerce 1.x
Compromise From: From remote
Compromise Type: Cross site scripting

Summary

Some vulnerabilities have been reported in cpCommerce, which can be exploited by malicious people to conduct cross-site scripting attacks.

Detailed Description

Some vulnerabilities have been reported in cpCommerce, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed to the "search" parameter in search.php and to the "name" parameter in sendtofriend.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Solution

Update to version 1.2.4

CVE Reference

CVE-2008-4121