Pentasoft Avactis Shopping Cart Multiple Cross Site Scripting Vulnerabilities

Bugtraq ID:	31054
Class:	Input Validation Error
CVE:	CVE-2008-6969
Remote:	Yes
Local:	No
Published:	Sep 03 2008 12:00AM
Updated:	Apr 16 2015 05:54PM
Credit:	Russ McRee
Vulnerable:	Pentasoft Avactis Shopping Cart 1.8.1 Pentasoft Avactis Shopping Cart 1.8
Not Vulnerable:

Pentasoft Avactis Shopping Cart Multiple Cross Site Scripting Vulnerabilities

Avactis Shopping Cart is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

Avactis Shopping Cart 1.8.1 and 1.8.0 are vulnerable; other versions may also be affected.

Pentasoft Avactis Shopping Cart Multiple Cross Site Scripting Vulnerabilities

To exploit these issues, an attacker must entice an unsuspecting victim into following a malicious URI.

Pentasoft Avactis Shopping Cart Multiple Cross Site Scripting Vulnerabilities

Solution:
The vendor has released a patch. The vendor recommends replacing existing copies of the 'avactis-system/core/request.php' file with this patch. Please see the references for details.


Pentasoft Avactis Shopping Cart 1.8

• Pentasoft request.php
  http://www.avactis.com/forums/index.php?s=6ba2bbce808c6cec1a01da0fba04 1d58&act=Attach&type=post&id=270

Pentasoft Avactis Shopping Cart 1.8.1

• Pentasoft request.php
  http://www.avactis.com/forums/index.php?s=6ba2bbce808c6cec1a01da0fba04 1d58&act=Attach&type=post&id=270

Pentasoft Avactis Shopping Cart Multiple Cross Site Scripting Vulnerabilities

References:

• Avactis Shopping Cart (Pentasoft)
  
• Cross-site scripting vulnerability, update available, Security update (Pentasoft)
  
• HIO-2008-0903 Avactis Shopping Cart XSS (Russ McRee)