OsCommerce Local File Include And HTML Injection Vulnerabilities Network Vulnerability

Summary

osCommerce is prone to a local file-include vulnerability and an HTML- injection vulnerability because it fails to properly sanitize user- supplied input. An attacker can exploit the local file-include vulnerability using directory- traversal strings to execute local files within the context of the webserver process. The attacker may leverage the HTML-injection issue to execute arbitrary HTML and script code in the context of the affected browser. This may let the attacker steal cookie-based authentication credentials or control how the site is rendered to the user. osCommerce 3.0a5 is affected other versions may also be vulnerable.

References

http://ictsec.wordpress.com/exploits/oscommerce-v3-0a5-multiple-vulnerabilities/
http://www.oscommerce.com
http://www.securityfocus.com/bid/39820

Updated on 2015-03-25

Severity

Classification

CVSS	Base Score: 5.0 AV:N/AC:L/Au:N/C:P/I:N/A:N

Related Vulnerabilities

AjaXplorer 'doc_file' Parameter Local File Disclosure Vulnerability
An Image Gallery Multiple Cross-Site Scripting Vulnerability
aeNovo Database Content Disclosure Vulnerability
Adobe ColdFusion Multiple Vulnerabilities-03 May-2014
Apache mod_proxy_ajp Information Disclosure Vulnerability

osCommerce Local File Include and HTML Injection Vulnerabilities

Take action and discover your vulnerabilities