CVE-2014-8307

Vulnerability

Cart Engine before version 4.0 contains multiple reflected cross-site scripting (XSS) vulnerabilities in the skins/default/outline.tpl template file. User input from the path parameter (used in the "drop down TOP menu (with path)" section) and the print_this_page variable (used in the footer_content_block section) is not properly sanitized before being included in the page output. This allows attackers to inject arbitrary HTML or JavaScript. The vulnerability affects multiple pages including index.php, checkout.php, contact.php, detail.php, distro.php, newsletter.php, page.php, profile.php, search.php, sitemap.php, task.php, and tell.php [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL containing the injected script in the QUERY_STRING parameter. The attacker must convince a victim to click on the crafted link. No prior authentication is required, and the vulnerability is triggered when the victim's browser loads the page [1].

Impact

Successful exploitation allows an attacker to execute arbitrary HTML and JavaScript code in the victim's browser within the context of the affected website. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites [1].

Mitigation

The vulnerability is fixed in Cart Engine version 4.0. Users are advised to upgrade to the latest version. If upgrading is not immediately possible, input validation and output encoding should be applied to the path and print_this_page parameters [1].