Squirrelcart v3.5.4 (table) Remote Cross-Site Scripting Vulnerability

Squirrelcart suffers from a XSS issue due to a failure to properly sanitize user-supplied input to the ‘table’ GET parameter in the ‘index.php’ script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

Squirrelcart XSS

Vendor:

Squirrelcart Security Patch #SC130218
Release date: 02/19/2013

XSS (Cross Site Scripting) vulnerability patch
Affected Squirrelcart versions: v2.0.0 – 3.5.4

How to find your version number:
———————————————————————
You can locate your Squirrelcart version in the upper right hand corner of your control panel.

Patch Info and Instructions
———————————————————————
This is a patch for protecting against a XSS (Cross Site Scripting) vulnerability that was discovered on 02/19/2013 by Zero Science Lab:
http://www.zeroscience.mk/. This vulnerability is due to the table parameter passed in the control panel not being sanitized properly,
and can result in HTML or Javascript being inserted into the page.

http://www.squirrelcart.com/downloads.php
http://www.squirrelcart.com/index.php?downloads=1&id=123

ZSL Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5128.php

Comment are closed.