SUMMARY
The open source version of Total Shop UK eCommerce based on CodeIgniter version 2.1.2 is subject to a cross-site scripting vulnerability. The value of a generic parameter was not sufficiently sanitised before being written to a block of Javascript code. An attacker could distribute a malicious URL that would trigger this vulnerability and potentially steal session cookies, redirect the user to a malicious URL or download malware onto their machine.
- CVE number: CVE-2012-4236
- Impact: High
- Vendor homepage: http://www.totalshopuk.com/
- Vendor notified: 06/08/2012
- Vendor fixed: 08/08/2012
- Credit: Chris Cooper and Joseph Sheridan of Reaction Information Security
RSS Feed