header-logo
Suggest Exploit
vendor:
SunShop Web Store Software
by:
Unknown
5.5
CVSS
MEDIUM
Arbitrary Script Code Embedding
79
CWE
Product Name: SunShop Web Store Software
Affected Version From: Unknown
Affected Version To: Unknown
Patch Exists: NO
Related CWE: Unknown
CPE: a:sunshop:sunshop
Metasploit:
Other Scripts:
Platforms Tested: Unix, Linux, Microsoft Windows
Unknown

Arbitrary Script Code Embedding in SunShop Web Store Software

The SunShop web store software allows attackers to embed arbitrary script code into form fields, enabling a remote attacker to perform actions as the administrative user of the shopping cart. An attacker can exploit this vulnerability by registering as a new customer and entering a specially crafted name containing script code.

Mitigation:

It is recommended to update to the latest version of SunShop to mitigate this vulnerability. Additionally, input validation should be implemented to prevent script code embedding.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/4506/info

SunShop is commercial web store software. It is written in PHP, and will run on most Unix and Linux operating systems as well as Microsoft Windows.

SunShop allows attackers to embed arbitrary script code into form fields. This may enable a remote attacker to perform actions as the administrative user of the shopping cart. 

Enter the following name when registering as a new customer:

blackhat<script>alert('ouch')</script>

Navigation

Suggest Exploit

Services By CQR