CVE-2012-1664

Name of the Vulnerable Software and Affected Versions osCMax versions prior to 2.5.1

Description The issue allows remote attackers to inject arbitrary web script or HTML via various parameters in different admin panel files. The affected parameters include username in 'admin/login.php', pageTitle, current product id, cPath in 'admin/new attributes include.php', sb id, sb key, gc id, gc key, path in 'admin/htaccess.php', title in 'admin/information form.php', search in 'admin/xsell.php', gross, max in 'admin/stats products purchased.php', status in 'admin/stats monthly sales.php', sorted in 'admin/stats customers.php', information id in 'admin/information manager.php', and zID in 'admin/geo zones.php'.

Recommendations For osCMax versions prior to 2.5.1, update to version 2.5.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the admin panel and limiting the use of the affected parameters until the update is applied. Avoid using the specified parameters in the affected API endpoints until the issue is resolved.