CVE-2006-4360 in E-Commerce Moduleinfo

Summary

by MITRE

Cross-site scripting (XSS) vulnerability in E-commerce 4.7 for Drupal before file.module 1.37.2.4 (20060812) allows remote authenticated users with the "create products" permission to inject arbitrary web script or HTML via unspecified vectors.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 09/23/2017

This cross-site scripting vulnerability exists within the E-commerce module version 4.7 for Drupal platforms prior to file.module version 1.37.2.4 released on August 12, 2006. The flaw represents a classic client-side attack vector that allows malicious actors to inject arbitrary web scripts or HTML content into web pages viewed by other users. The vulnerability specifically affects authenticated users who possess the "create products" permission within the Drupal content management system, making it particularly dangerous in environments where multiple users have administrative or content creation privileges.

The technical nature of this vulnerability stems from inadequate input validation and output encoding within the E-commerce module's product creation functionality. When authenticated users with product creation rights submit product data, the system fails to properly sanitize or escape user-supplied input before rendering it in web pages. This allows attackers to embed malicious scripts that execute in the context of other users' browsers when they view the affected product listings or related pages. The unspecified vectors indicate that multiple input points within the product creation workflow could serve as attack surfaces, potentially including product titles, descriptions, attributes, or other editable fields.

The operational impact of this vulnerability extends beyond simple script injection, as it can enable attackers to perform various malicious activities including session hijacking, credential theft, data exfiltration, and redirection to malicious websites. An attacker could craft product entries containing malicious javascript payloads that would execute whenever legitimate users browse product catalogs or view product details. This could lead to unauthorized access to user sessions, modification of product information, or even complete compromise of user accounts with elevated privileges. The vulnerability affects the integrity and confidentiality of the entire e-commerce platform, potentially exposing sensitive customer data and business information.

Organizations should immediately upgrade to the patched version of the file.module component or implement comprehensive input validation measures to prevent unauthorized script injection. The mitigation strategy should include proper output encoding of all user-supplied content before rendering, implementation of content security policies, and regular security auditing of all modules and themes. This vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws, and represents a critical concern in the ATT&CK framework under the T1059 technique for command and scripting interpreter. Given the age of this vulnerability, systems administrators must ensure all legacy Drupal installations receive proper security updates or are properly isolated from public networks to prevent exploitation.

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!