CubeCart 2.0.x Multiple XSS and Path Disclosure Vulnerability Advisory

Key Information Vulnerability Description Vulnerability Type: Cross-Site Scripting (XSS) attacks and path disclosure affecting multiple variables Affected System: CubeCart 2.0.x series Release Date: February 25, 2005 Scope of Impact Affected Versions: 2.0.0 to 2.0.5 2.0.6 is not affected Affected Files XSS-Affected Files: forgot_pass.php index.php login.php logout.php new_pass.php register.php sale_cat.php search.php tellafriend.php view_doc.php view_order.php view_product.php your_links.php your_orders.php Path Disclosure-Affected Files: information.php language.php list_docs.php popular_prod.php sale.php subfooter.inc.php subheader.inc.php cat_navi.php Exploitation Examples Exploits multiple XSS vulnerabilities caused by insufficient validation of variables. Example URLs include: - - - Other URLs involving XSS and path disclosure Remediation Upgrade: Most XSS vulnerabilities were fixed in version 2.0.6. Users are advised to upgrade to the latest version. Path Disclosure Fix: Official patch released by CubeCart on February 21, 2005. Additional Information Security Advisory: Related OSVDB IDs: 14062 and 13810. Discoverer: Lostmon, discovered on February 15, 2005, and reported to the vendor through appropriate channels. Conclusion CubeCart 2.0.x series suffers from multiple XSS attacks and path disclosure vulnerabilities due to unvalidated variables, posing potential security risks to users. The vendor has addressed most issues in version 2.0.6. Users should upgrade promptly.

Goal Reached Thanks to every supporter — we hit 100%!

CubeCart 2.0.x Multiple XSS and Path Disclosure Vulnerability Advisory