CVE-2004-2411 Information

Description

The CleanseMessage function in shop$db.asp for VP-ASP Shopping Cart 4.0 through 5.0 does not sufficiently cleanse inputs which allows remote attackers to conduct cross-site scripting (XSS) attacks that do not use script tags as demonstrated via javascript in IMG tags to (1) the cat parameter in shopdisplayproducts.asp or (2) the msg parameter in shoperror.asp and possibly other vectors.

Reference

http://archives.neohapsis.com/archives/fulldisclosure/2004-06/0363.html http://secunia.com/advisories/11846 http://www.osvdb.org/6949 http://www.providesecurity.com/research/advisories/06142004-01.asp http://www.securityfocus.com/bid/10530 http://www.securityfocus.com/bid/10534 http://www.vpasp.com/virtprog/info/faq_securityfixes.htm https://exchange.xforce.ibmcloud.com/vulnerabilities/16411