|
Description
|
|
Gjoko Krstic has discovered a vulnerability in xt:Commerce, which can be exploited by malicious users to conduct script insertion attacks.
Input passed via the "products_name_de" parameter to xtAdmin/adminHandler.php (when "load_section" is set to "product") is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site if malicious data is viewed.
Successful exploitation requires access permissions to edit products.
The vulnerability is confirmed in version 4.0.15 Pro (18-07-2012). Other versions may also be affected.
|
