CVE-2023-6296

Name of the Vulnerable Software and Affected Versions osCommerce version 4

Description A problematic issue was found in osCommerce, affecting some unknown functionality of the file /catalog/compare of the component Instant Message Handler. The manipulation of the compare argument with a malicious input leads to cross-site scripting. The attack can be launched remotely.

Recommendations For osCommerce version 4, as a temporary workaround, consider restricting access to the /catalog/compare endpoint until a patch is available. Avoid using the compare argument in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.