Aktivate Cross-Site Scripting Vulnerability

vendor:

Aktivate

by:

SecurityFocus

3.3

CVSS

MEDIUM

Cross-Site Scripting

CWE

Product Name: Aktivate

Affected Version From: 01.03

Affected Version To: 01.03

Patch Exists: NO

Related CWE: N/A

CPE: Aktivate

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Unix, Linux

2002

Aktivate Cross-Site Scripting Vulnerability

Aktivate is prone to cross-site scripting attacks. It is possible to construct a link containing arbitrary script code to a website running Aktivate. When a user browses the link, the script code will be executed on the user in the context of the site hosting the affected software. The impact of this issue is that the attacker is able to hijack a legitimate web user's session, by stealing cookie-based authentication credentials. Other cross-site scripting attacks are also possible.

Mitigation:

Input validation and output encoding should be used to prevent cross-site scripting attacks.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/3714/info

Aktivate is a shopping cart system which is geared towards Unix and Linux users, uses MySQL as a backend, and is written in Perl.

Aktivate is prone to cross-site scripting attacks. It is possible to construct a link containing arbitrary script code to a website running Aktivate. When a user browses the link, the script code will be executed on the user in the context of the site hosting the affected software.

The impact of this issue is that the attacker is able to hijack a legitimate web user's session, by stealing cookie-based authentication credentials. Other cross-site scripting attacks are also possible.

Aktivate 1.03 is known to be vulnerable, other versions may also be affected. 

https://host/aktivate/cgi-bin/catgy.cgi?key=0&cartname=axa200135022551089&desc=<script>alert(document.domain)</script>