Alan Ward A-Cart 2.0 - MSG Cross-Site Scripting

EDB-ID:

23195

CVE:



Author:

G00db0y

Type:

webapps


Platform:

ASP

Date:

2003-09-29


source: https://www.securityfocus.com/bid/8722/info

A-Cart has been reported prone to a cross-site scripting vulnerability. The issue presents itself likely due to a lack of sufficient sanitization performed on data contained in the 'msg' URI parameter that is passed to signin.asp.

An attacker could exploit this condition to render arbitrary HTML in the browser of a victim, stealing cookie authentication credentials or performing other nefarious acts. 

http://www.example.com/acartpath/signin.asp?msg=<script>alert('Zone-h')</script>