CVE-2010-1328

Name of the Vulnerable Software and Affected Versions TornadoStore versions 1.4.3 and earlier

Description The issue allows remote attackers to inject arbitrary web script or HTML via several parameters, including tipo, destino, rubro, arti, descrip, and tit, in various PHP files across different sections of the application. This can be exploited through the "login registrese.php3" in the Services section, "precios.php3" in the Products section, "recomenda articulo.php3" in the Products section, and multiple files in the e-Commerce section, including "control/abm det.php3" and "control/abm list.php3".

Recommendations For TornadoStore versions 1.4.3 and earlier, as a temporary workaround, consider restricting access to the vulnerable parameters tipo, destino, rubro, arti, descrip, and tit in the respective PHP files until a patch is available. Avoid using these parameters in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.