Lockon · Lockon Ec-Cube · CVE-2013-3652
**Name of the Vulnerable Software and Affected Versions**
LOCKON EC-CUBE versions 2.11.0 through 2.12.4
**Description**
A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML. This is achieved through vectors involving the `classcategory id2` field.
**Recommendations**
For versions 2.11.0 through 2.12.4, consider restricting access to the `classcategory id2` field in the affected page until a patch is available. As a temporary workaround, avoid using the `classcategory id2` field in the LOCKON EC-CUBE products list page to minimize the risk of exploitation.