header-logo
Suggest Exploit
vendor:
VP-ASP
by:
Not provided
7.5
CVSS
HIGH
Cross-Site Scripting (XSS)
79
CWE
Product Name: VP-ASP
Affected Version From: VP-ASP versions 5.0 and prior
Affected Version To: Not provided
Patch Exists: Unknown (vendor-supplied fix not confirmed)
Related CWE: Not provided
CPE: Not provided
Metasploit:
Other Scripts:
Platforms Tested: Not provided
Not provided

Cross-Site Scripting Vulnerability in VP-ASP

A remote user can launch cross-site scripting attacks by injecting malicious code through the 'msg' parameter in the 'shoperror.asp' script.

Mitigation:

Implement proper input validation and sanitization to prevent XSS attacks. Apply any vendor-supplied fix if available.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/10534/info

A vulnerability exists in the software that may allow a remote user to launch cross-site scripting attacks. The problem is reported to exist due to improper sanitizing of user-supplied data in the 'shoperror.asp' script.

An attacker can exploit this issue to steal cookie authentication credentials, or perform other types of attacks. 

VP-ASP versions 5.0 and prior may be prone to this issue. It is possible that a vendor-supplied fix addresses this issue, however, this has not been confirmed at the moment.

http://www.example.com/vpasp/shoperror.asp?msg=<img%20src="javascript:alert('XSS')">
http://www.example.com/vpasp/shoperror.asp?msg=<meta%20http-equiv='refresh'content=
'0'>