CVE-2014-5105

Name of the Vulnerable Software and Affected Versions ol-commerce version 2.1.1

Description The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the a country parameter in a process action to "affiliate signup.php" or the entry country id parameter in an edit action to "admin/create account.php".

Recommendations For ol-commerce version 2.1.1, consider restricting access to the vulnerable parameters a country and entry country id in the respective API endpoints until a patch is available. Avoid using these parameters in the affected API endpoints "affiliate signup.php" and "admin/create account.php" to minimize the risk of exploitation.