CVE-2018-13001

Name of the Vulnerable Software and Affected Versions Sandoba CP:Shop version v2016.1

Description A cross-site scripting (XSS) issue was found, allowing remote attackers to inject script codes into the client-side of the web application through vulnerable parameters. The attack vector is non-persistent and uses the GET request method with parameters such as path, search, rename, or dir. This issue is located in the admin.php file of the ./cpshop/ module.

Recommendations For Sandoba CP:Shop version v2016.1, consider restricting access to the admin.php file in the ./cpshop/ module until a patch is available. As a temporary workaround, avoid using the path, search, rename, or dir parameters in the affected API endpoint.