CVE-2014-4965

Name of the Vulnerable Software and Affected Versions Shopizer versions 1.1.5 and earlier

Description The issue allows remote attackers to inject arbitrary web script or HTML, potentially leading to cross-site scripting (XSS) attacks. This can be achieved via several parameters, including the customername parameter to the "central/orders/searchcriteria.action" endpoint, the productname, availability, or status parameters to the "central/catalog/productlist.action" endpoint. Additionally, there are unspecified vectors in the "WebContent/orders/orderlist.jsp" file.

Recommendations For Shopizer versions 1.1.5 and earlier, consider disabling access to the vulnerable endpoints, such as "central/orders/searchcriteria.action" and "central/catalog/productlist.action", until a patch is available. As a temporary workaround, restrict the use of the customername, productname, availability, and status parameters in the affected endpoints. Avoid using the "WebContent/orders/orderlist.jsp" file until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.