xt:Commerce Multiple Vulnerabilities

vendor:

xt:Commerce

by:

SecurityFocus

7.5

CVSS

HIGH

Session-Fixation and Cross-Site Scripting

384, 79

CWE

Product Name: xt:Commerce

Affected Version From: 03.04

Affected Version To: 03.04

Patch Exists: YES

Related CWE: N/A

CPE: xtcommerce304

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

xt:Commerce Multiple Vulnerabilities

An attacker can leverage the session-fixation issue to hijack a session of an unsuspecting user. The attacker can exploit the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

Mitigation:

Ensure that all user input is validated and filtered before being used in the application. Ensure that all user input is properly encoded before being used in the application.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/31313/info
 
xt:Commerce is prone to multiple vulnerabilities, including a session-fixation vulnerability and a cross-site scripting vulnerability.
 
An attacker can leverage the session-fixation issue to hijack a session of an unsuspecting user. The attacker can exploit the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
 
xt:Commerce 3.04 is vulnerable; other versions may also be affected.

https://www.example.com/xtcommerce304/shopping_cart.php/XTCsid/15031988