Nick Gudov

**Name of the Vulnerable Software and Affected Versions** Q-Shop (affected versions not specified) **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to execute arbitrary script and potentially steal user session IDs via JavaScript in a URL. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CactuShop versions 5.x **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via the `strImageTag` parameter in the popuplargeimage.asp file. **Recommendations** For CactuShop version 5.x, avoid using the `strImageTag` parameter in the popuplargeimage.asp file until a fix is available. Consider restricting access to the popuplargeimage.asp file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** QuadComm Q-Shop (affected versions not specified) **Description** The issue concerns SQL injection vulnerabilities that allow remote attackers to execute arbitrary SQL commands. This is achieved by manipulating certain parameters in various API endpoints, including "search.asp", "browse.asp", "details.asp", "showcat.asp", "users.asp", "addtomylist.asp", "modline.asp", "cart.asp", and "newuser.asp". **Recommendations** For QuadComm Q-Shop, consider restricting access to the mentioned API endpoints until a fix is available. As a temporary workaround, avoid using sensitive parameters in the affected endpoints. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CFWebstore version 5.0 **Description** The issue allows remote attackers to execute SQL commands. This is achieved by exploiting the `category id`, `product id`, or `feature id` parameters in the index.cfm file. **Recommendations** For CFWebstore version 5.0, consider restricting access to the index.cfm file until a patch is available, and avoid using the `category id`, `product id`, or `feature id` parameters in this file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** CFWebstore version 5.0 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML. This is achieved by injecting malicious code via the URL. **Recommendations** For CFWebstore version 5.0, update the index.cfm file to properly sanitize user input and prevent the injection of arbitrary web script or HTML. As a temporary workaround, consider restricting access to the index.cfm file until a patch is available.

**Name of the Vulnerable Software and Affected Versions** CactuShop versions 5.x **Description** The issue allows remote attackers to execute arbitrary SQL commands via the `strItems` parameter in the "mailorder.asp" or "payonline.asp" files. **Recommendations** For CactuShop version 5.x, avoid using the `strItems` parameter in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** SpiderSales shopping cart software (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary SQL commands via the `userId` parameter in the viewCart.asp file. This can potentially lead to unauthorized access and manipulation of sensitive data. **Recommendations** For SpiderSales shopping cart software, consider restricting access to the viewCart.asp file until a patch is available. As a temporary workaround, avoid using the `userId` parameter in the affected file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** WebCortex WebStores 2000 version 6.0 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to execute arbitrary script as other users and potentially steal session IDs. This is achieved via the `Message id` parameter in the error.asp file. **Recommendations** For WebCortex WebStores 2000 version 6.0, avoid using the `Message id` parameter in the error.asp file until a fix is available. As a temporary workaround, consider restricting access to the error.asp file to minimize the risk of exploitation.