CosmicShoppingCart search_price.php XSS

2006-05-25T09:04:19
ID OSVDB:26092
Type osvdb
Reporter Vympel (Marcelo Almeida)(vympel.br@gmail.com)
Modified 2006-05-25T09:04:19

Description

Vulnerability Description

CosmicShoppingCart contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate unspecified variables upon submission to the search_price.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user\'s browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

CosmicShoppingCart contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate unspecified variables upon submission to the search_price.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user\'s browser within the trust relationship between the browser and the server, leading to a loss of integrity.

References:

Vendor URL: http://www.cosmicphp.com/ Security Tracker: 1016164 Secunia Advisory ID:20272 Related OSVDB ID: 26089 Related OSVDB ID: 26090 Related OSVDB ID: 26091 Related OSVDB ID: 26093 Other Advisory URL: http://www.zone-h.org/advisories/read/id=9058 Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-05/0683.html Keyword: ZH2006-20 ISS X-Force ID: 26681 FrSIRT Advisory: ADV-2006-1984 CVE-2006-2649