CERT/CC Vulnerability Note VU#405942

Overview

CS-Cart version 4.0.2 and possibly earlier versions contain cross-site scripting (XSS) vulnerabilities (CWE-79).

Description

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CS-Cart version 4.0.2 and possibly earlier versions contain cross-site scripting (XSS) vulnerabilities. An attacker can inject arbitrary script via the vulnerable query string parameters settings_file and data_file of the ampie.swf, amline.swf, or amcolumn.swf files.

Impact

A remote unauthenticated attacker may be able to execute arbitrary script in the context of the end-user's browser session.

Solution

Apply Update

The vendor has released CS-Cart 4.1.1 to address the vulnerabilities. Users are advised to upgrade to CS-Cart 4.1.1 or later.

Vendor Information

405942

Filter by status:

Filter by content: Additional information available

Sort by:

Expand all

CS-Cart Affected

Notified: November 22, 2013 Updated: December 03, 2013

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group	Score	Vector
Base	4.3	AV:N/AC:M/Au:N/C:P/I:N/A:N
Temporal	3.7	E:POC/RL:U/RC:UR
Environmental	0.9	CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Nikhil Srivastava from Techdefence Labs for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

CVE IDs:	CVE-2013-7317
Date Public:	2013-01-20
Date First Published:	2014-01-23
Date Last Updated:	2014-01-28 15:24 UTC
Document Revision:	24

Software Engineering Institute

CERT Coordination Center

CS-Cart version 4.0.2 contains cross-site scripting vulnerabilities

Vulnerability Note VU#405942

Overview

Description

Impact

Solution

Vendor Information

CS-Cart Affected

Status

Vendor Statement

Vendor Information

CVSS Metrics

References

Acknowledgements

Other Information

Contact CERT/CC