CVE-2007-0056

Name of the Vulnerable Software and Affected Versions ASHop Deluxe version 4.5 ASHop Administration Panel version 4.5

Description The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via several parameters, including the cat parameter to "/ashop/catalogue.php" and "/ashop/basket.php", the exp parameter to "/ashop/catalogue.php", the searchstring parameter to "/ashop/search.php", the checkout and action parameters to "/ashop/shipping.php", the cat parameter to "/cart-path/admin/editcatalogue.php", and the resultpage parameter to "/cart-path/admin/salesadmin.php".

Recommendations For AShop Deluxe version 4.5, update the software to a version that fixes the XSS vulnerabilities. For AShop Administration Panel version 4.5, update the software to a version that fixes the XSS vulnerabilities. As a temporary workaround, consider restricting access to the affected API endpoints, such as "/ashop/catalogue.php", "/ashop/basket.php", "/ashop/search.php", "/ashop/shipping.php", "/cart-path/admin/editcatalogue.php", and "/cart-path/admin/salesadmin.php", until a patch is available. Avoid using the parameters cat, exp, searchstring, checkout, action, and resultpage in the affected API endpoints until the issue is resolved.