{"vuid":"VU#405942","idnumber":"405942","name":"CS-Cart version 4.0.2 contains cross-site scripting vulnerabilities","keywords":["CS-Cart","input validation","cross-site scripting","XSS","CWE-79"],"overview":"CS-Cart version 4.0.2 and possibly earlier versions contain cross-site scripting (XSS) vulnerabilities (CWE-79).","clean_desc":"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CS-Cart version 4.0.2 and possibly earlier versions contain cross-site scripting (XSS) vulnerabilities. An attacker can inject arbitrary script via the vulnerable query string parameters settings_file and data_file of the ampie.swf, amline.swf, or amcolumn.swf files.","impact":"A remote unauthenticated attacker may be able to execute arbitrary script in the context of the end-user's browser session.","resolution":"Apply Update The vendor has released CS-Cart 4.1.1 to address the vulnerabilities. Users are advised to upgrade to CS-Cart 4.1.1 or later.","workarounds":"","sysaffected":"","thanks":"Thanks to Nikhil Srivastava from Techdefence Labs for reporting this vulnerability.","author":"This document was written by Jared Allar.","public":["http://cwe.mitre.org/data/definitions/79.html","https://www.cs-cart.com/","http://blog.cs-cart.com/2014/01/15/cs-cart-and-multi-vendor-4-1-1-released-cs-cart-facebook-app-is-coming/"],"cveids":["CVE-2013-7317"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2013-10-24T18:31:31Z","publicdate":"2013-01-20T00:00:00Z","datefirstpublished":"2014-01-23T19:38:27Z","dateupdated":"2014-01-28T15:24:04Z","revision":24,"vrda_d1_directreport":"1","vrda_d1_population":"2","vrda_d1_impact":"2","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"M","cvss_authentication":null,"cvss_confidentialityimpact":"P","cvss_integrityimpact":"N","cvss_availabilityimpact":"N","cvss_exploitablity":null,"cvss_remediationlevel":"U","cvss_reportconfidence":"UR","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"L","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"4.3","cvss_basevector":"AV:N/AC:M/Au:N/C:P/I:N/A:N","cvss_temporalscore":"3.7","cvss_environmentalscore":"0.9182973429","cvss_environmentalvector":"CDP:ND/TD:L/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}