source: https://www.securityfocus.com/bid/8722/info
A-Cart has been reported prone to a cross-site scripting vulnerability. The issue presents itself likely due to a lack of sufficient sanitization performed on data contained in the 'msg' URI parameter that is passed to signin.asp.
An attacker could exploit this condition to render arbitrary HTML in the browser of a victim, stealing cookie authentication credentials or performing other nefarious acts.
http://www.example.com/acartpath/signin.asp?msg=<script>alert('Zone-h')</script>