jCart 1.1 my-item-name POST Parameter XSS

This script is Copyright (C) 2011-2012 Tenable Network Security, Inc.


Synopsis :

The remote web server hosts an application that is affected by a
cross-site scripting vulnerability.

Description :

The remote web server hosts jCart.

Nessus was able to trigger a cross-site scripting vulnerability
against one of the PHP scripts.

In addition, this web application is likely to be affected by
uncontrolled redirection and affected by cross-site request forgery
vulnerabilities, although Nessus has not checked for them.

See also :

http://conceptlogic.com/jcart/help/viewtopic.php?f=6&t=669

Solution :

Upgrade to jCart 1.2 or later.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score : 4.1
(CVSS2#E:F/RL:U/RC:C)
Public Exploit Available : true

Family: CGI abuses : XSS

Nessus Plugin ID: 55775 ()

Bugtraq ID: 43639

CVE ID: