Pinnacle Cart Index.PHP Cross-Site Scripting Vulnerability

Bugtraq ID:	17794
Class:	Input Validation Error
CVE:	CVE-2006-2163
Remote:	Yes
Local:	No
Published:	May 02 2006 12:00AM
Updated:	Feb 22 2007 02:36AM
Credit:	r0t is credited with the discovery of this vulnerability.
Vulnerable:	Pinnacle Cart Pinnacle Cart 3.3 Pinnacle Cart Pinnacle Cart
Not Vulnerable:	Pinnacle Cart Pinnacle Cart 3.5

Pinnacle Cart Index.PHP Cross-Site Scripting Vulnerability

Pinnacle Cart is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input.

An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

Pinnacle Cart Index.PHP Cross-Site Scripting Vulnerability

This issue can be exploited through a web client.

The following proof-of-concept URI is available:

• /data/vulnerabilities/exploits/PinnacleCart-xss-0502.txt

Pinnacle Cart Index.PHP Cross-Site Scripting Vulnerability

Solution:
The vendor has released version 3.5 to address this issue; please contact the vendor for information on obtaining an upgrade.

Pinnacle Cart Index.PHP Cross-Site Scripting Vulnerability

References:

• Pinnacle Cart XSS (r0t)
  
• Pinnacle Cart Homepage (Pinnacle Cart)