CVE-2005-1951

Name of the Vulnerable Software and Affected Versions osCommerce versions 2.2 Milestone 2 and earlier

Description The issue allows remote attackers to spoof web content and poison web caches. This is achieved by inserting hex-encoded CRLF ("%0d%0a") sequences in specific parameters. The affected parameters include products id or pid in index.php and goto in banner.php.

Recommendations For osCommerce versions 2.2 Milestone 2 and earlier, consider restricting access to the index.php and banner.php files until a fix is available. As a temporary workaround, avoid using the products id, pid, and goto parameters in the affected API endpoints.