Booker

**Name of the Vulnerable Software and Affected Versions** CubeCart versions 2.0.0 through 2.0.5 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary HTML or web script via certain parameters, including `cat id`, `PHPSESSID`, `view doc`, `product`, `session`, `catname`, `search`, or `page`. **Recommendations** For CubeCart versions 2.0.0 through 2.0.5, update to a version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** CubeCart versions 2.0.0 through 2.0.5 **Description** The issue allows remote attackers to determine the full path of the server via direct calls without parameters to various PHP files, including "information.php", "language.php", "list docs.php", "popular prod.php", "sale.php", "subfooter.inc.php", "subheader.inc.php", "cat navi.php", and "check sum.php". This is possible because these files reveal the path in a PHP error message when called directly without parameters. **Recommendations** For CubeCart versions 2.0.0 through 2.0.5, consider restricting direct access to the affected PHP files, such as "information.php", "language.php", "list docs.php", "popular prod.php", "sale.php", "subfooter.inc.php", "subheader.inc.php", "cat navi.php", and "check sum.php", to prevent the disclosure of the server path.