← Advisories

Axis Commerce 0.8.7.2 Remote Script Insertion Vulnerabilities

Medium

Advisory ID

ZSL-2012-5115

Release Date

30 November 2012

Vendor

Axis - http://www.axiscommerce.com

Affected Version

0.8.7.2

CVE

N/A

Tested On

Microsoft Windows 7 Ultimate SP1 (EN), Apache 2.4.2 (Win32), PHP 5.4.4, MySQL 5.5.25a

Summary

Powerful open source ecommerce platform.

Description

Axis Commerce suffers from multiple stored XSS vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Proof of Concept

axiscommerce_xss.htmlTXT

Disclosure Timeline

27.11.2012Vulnerabilities discovered.

28.11.2012Initial contact with the vendor.

29.11.2012No reply from vendor.

30.11.2012Public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://github.com/axis/axiscommerce/issues/233

[2]http://packetstormsecurity.org/files/118501