CVE-2006-5190

Name of the Vulnerable Software and Affected Versions osCommerce version 2.2 Milestone 2 Update 060817

Description The issue allows remote attackers to inject arbitrary web script or HTML via the page parameter in multiple scripts in the /admin directory, including banner manager.php, banner statistics.php, countries.php, currencies.php, languages.php, manufacturers.php, newsletters.php, orders status.php, products attributes.php, products expected.php, reviews.php, specials.php, stats products purchased.php, stats products viewed.php, tax classes.php, tax rates.php, and zones.php. Additionally, the zpage parameter in admin/geo zones.php is vulnerable.

Recommendations For osCommerce version 2.2 Milestone 2 Update 060817, consider disabling the vulnerable scripts in the /admin directory until a patch is available. Restrict access to the admin/geo zones.php script to minimize the risk of exploitation. Avoid using the page and zpage parameters in the affected scripts until the issue is resolved.