CVE-2012-6458

Name of the Vulnerable Software and Affected Versions SilverStripe e-commerce module version 3.0 for SilverStripe CMS

Description The issue allows remote attackers to inject arbitrary web script or HTML via specific parameters, including FirstName, Surname, and Email to "code/forms/OrderFormAddress.php", or FirstName and Surname to "code/forms/ShopAccountForm.php".

Recommendations For SilverStripe e-commerce module version 3.0, consider restricting the input for the FirstName, Surname, and Email parameters in "code/forms/OrderFormAddress.php" and the FirstName and Surname parameters in "code/forms/ShopAccountForm.php" to prevent arbitrary web script or HTML injection until a patch is available.