CVE-2017-10667
Description
Cross-site scripting (XSS) vulnerability in Zen Cart 1.6.0 via the products_id parameter in index.php allows remote attackers to inject arbitrary web script or HTML.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting (XSS) vulnerability in Zen Cart 1.6.0 via the products_id parameter in index.php allows remote attackers to inject arbitrary web script or HTML.
Vulnerability
The index.php script in Zen Cart 1.6.0 fails to sanitize the products_id parameter, allowing reflected cross-site scripting (XSS). An attacker can inject arbitrary HTML or JavaScript through this parameter without requiring authentication or special configuration [1][2].
Exploitation
An attacker crafts a malicious URL containing JavaScript code in the products_id parameter and convinces a victim to click it (e.g., via phishing or social engineering). No prior authentication or privileges are needed [1][2].
Impact
Successful exploitation allows the attacker to execute arbitrary script in the victim's browser, potentially leading to session hijacking, defacement, or redirection to malicious sites [1][2].
Mitigation
Zen Cart released a fix in a subsequent version (e.g., 1.6.1). Users should upgrade to the latest stable release to mitigate this vulnerability [2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- github.com/zencart/zencart/issues/1443nvdIssue TrackingThird Party Advisory
- github.com/zhonghaozhao/zencart/issues/1nvdThird Party Advisory
News mentions
0No linked articles in our index yet.