JVNDB-2012-000005

[Japanese]
JVNDB-2012-000005
osCommerce vulnerable to cross-site scripting
Overview
osCommerce contains a cross-site scripting vulnerability. osCommerce is an open source system for creating shopping websites. osCommerce contains a cross-site scripting vulnerability. Masako Oono reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)
CVSS V2 Severity: Base Metrics 4.3 (Medium) [IPA Score] Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
Affected Products

osCommerce osCommerce 2.2 MS1 Japanese version R8 and earlier

Impact
An arbitrary script may be executed on the user's web browser.
Solution
[Update the software] Update to the latest version according to the information provided by the developer.
Vendor Information
osCommerce osCommerce Japanese Localization Project : osCommerce for creating shopping websites - Support Documents (Japanese only) osCommerce Japanese Localization Project : osCommerce Japanese version - downloads (Japanese only) osCommerce Japanese Localization Project : [Important] About cross-site scripting vulnerability (Japanese only)
CWE (What is CWE?)
Cross-site Scripting(CWE-79) [IPA Evaluation]
CVE (What is CVE?)
CVE-2012-0312
References
JVN : JVN#64386898 National Vulnerability Database (NVD) : CVE-2012-0312
Revision History
[2012/01/20] Web page was published. [2012/04/26] Affected Products : osCommerce Online Merchant was deleted. Vendor Information : osCommerce (Downloads) was deleted.


Date Public	2012/01/20
Date First Published	2012/01/20
Date Last Updated	2012/04/26

osCommerce vulnerable to cross-site scripting