Cross site scripting in OsCommerce CEPhoenix (CVE-2020-12058)

A cross site scripting vulnerability is present in OsCommerce CEPhoenix up until version 1.0.6.0

The vulnerabilities have been foundĀ  automatically by the NAVEX project, in multiple files. An example can be see at /admin/currencies.php, line 208

The issue is that the user input is reflected in the response webpage without sufficient sanitization: the function tep_href_link() will remove the quotes from the user input, but since the input is reflected inside Javascript code, an attacker can bypass the escaping by terminating the quote with the HTML entity " allowing a reflected XSS attack.

We found the following vulnerable parameters in the following pages:

page parameter:

  • catalog/admin/order_status.php
  • catalog/admin/tax_rates.php
  • catalog/admin/languages.php
  • catalog/admin/countries.php
  • catalog/admin/tax_classes.php
  • catalog/admin/reviews.php
  • catalog/admin/currencies.php
  • catalog/admin/zones.php

zpage and spage parameter:

  • catalog/admin/geo_zones.php.