CVE-2011-0504

Name of the Vulnerable Software and Affected Versions VaM Shop versions 1.6 through 1.6.1 VaM Shop versions prior to 1.6

Description The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the status parameter to "admin/orders.php", the search parameter to "admin/customers.php", or the STORE NAME parameter to "admin/configuration.php".

Recommendations For VaM Shop versions 1.6 through 1.6.1, avoid using the status parameter in "admin/orders.php", the search parameter in "admin/customers.php", and the STORE NAME parameter in "admin/configuration.php" until a fix is available. For VaM Shop versions prior to 1.6, consider the same mitigation measures as above, focusing on restricting access to the mentioned parameters in the respective PHP files. As a temporary workaround, consider disabling access to "admin/orders.php", "admin/customers.php", and "admin/configuration.php" until a patch is available.