Test ID:	1.3.6.1.4.1.25623.1.0.802199
Category:	Web application abuses
Title:	CubeCart Multiple Cross-Site Scripting and SQL Injection Vulnerabilities
Summary:	CubeCart is prone to SQL injection and multiple cross-site scripting vulnerabilities.
Description:	Summary: CubeCart is prone to SQL injection and multiple cross-site scripting vulnerabilities. Vulnerability Insight: The flaws are due to - Input passed to the 'amount', 'cartId', 'email', 'transId', and 'transStatus' parameters in 'modules/gateway/WorldPay/return.php' is not properly sanitised before being returned to the user. - Input passed via the 'searchStr' parameter to index.php (when '_a' is set to 'viewCat') is not properly sanitised before being used in a SQL query. Vulnerability Impact: Successful exploitation will let attackers to execute arbitrary HTML and script code in a user's browser session in context of an affected site and manipulate SQL queries by injecting arbitrary SQL code. Affected Software/OS: CubeCart version 4.3.3. Solution: Upgrade to CubeCart version 4.4.2 or later. CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2010-4903 BugTraq ID: 43114 http://www.securityfocus.com/bid/43114 Bugtraq: 20100909 SQL Injection and XSS vulnerabilities in CubeCart version 4.3.3 (Google Search) http://www.securityfocus.com/archive/1/513572/100/0/threaded http://www.acunetix.com/blog/web-security-zone/articles/sql-injection-xss-cubecart-4-3-3/ http://secunia.com/advisories/41352 http://securityreason.com/securityalert/8441
Copyright	Copyright (C) 2011 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.