Vulnerabilities > CVE-2004-2411 - Cross-Site Scripting vulnerability in Virtual Programming VP-ASP Shopping Cart Shop$DB.Asp 4.0/4.50/5.0

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
virtual-programming
exploit available

Summary

The CleanseMessage function in shop$db.asp for VP-ASP Shopping Cart 4.0 through 5.0 does not sufficiently cleanse inputs, which allows remote attackers to conduct cross-site scripting (XSS) attacks that do not use <script> tags, as demonstrated via javascript in IMG tags to (1) the cat parameter in shopdisplayproducts.asp or (2) the msg parameter in shoperror.asp, and possibly other vectors.

Exploit-Db

descriptionVirtual Programming VP-ASP Shoperror Script 4/5 Cross-Site Scripting Vulnerability. CVE-2004-2411. Webapps exploit for asp platform
idEDB-ID:24198
last seen2016-02-02
modified2004-06-14
published2004-06-14
reporterThomas Ryan
sourcehttps://www.exploit-db.com/download/24198/
titleVirtual Programming VP-ASP Shoperror Script 4/5 - Cross-Site Scripting Vulnerability