CVE-2004-1807

Vulnerability

A cross-site scripting (XSS) vulnerability exists in index.cfm of CFWebstore 5.0 [1]. The application fails to sanitize user-supplied input passed through the URL, allowing injection of arbitrary web script or HTML [2]. This affects all installations of version 5.0 and earlier.

Exploitation

An attacker can craft a malicious URL containing JavaScript code. By tricking a victim into visiting that URL, the injected script executes in the context of the victim's browser session [2]. No authentication is required; the attack relies on user interaction (e.g., clicking a link).

Impact

Successful exploitation allows the attacker to steal the victim's session identifier, gaining access to the victim's account and personal data stored in the shopping cart application [2]. This can lead to unauthorized actions such as viewing orders, changing account details, or making purchases on behalf of the victim.

Mitigation

Dogpatch Software released version 5.0.1, which addresses the XSS vulnerability by properly validating input [2]. Users should upgrade to this version or later. If upgrading is not immediately possible, administrators should restrict access to the affected index.cfm script or apply input validation rules at the web server or application firewall level.