PT-2014-80: Cross-Site Scripting in ShopOS Vulnerable softwareShopOS Version: 2.5.9 and earlierLink: http://www.shopos.ru/Severity levelSeverity level: Medium Impact: Cross-Site Scripting Access Vector: Remote CVSS v2: Base Score: 4.3 Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)CVE: not assignedSoftware descriptionShopOS is a web content management system.Vulnerability descriptionThe specialists of the Positive Research center have detected a Cross-Site Scripting vulnerability in ShopOS.Cross-site scripting in the currencies.php script allows remote attackers to inject arbitrary HTML tags (including JavaScript scripts, etc.) to a page processed by user's browser.How to fix No solution.Advisory status 26.12.2013 - Vendor gets vulnerability details 29.12.2014 - Public disclosureCreditsThe vulnerability was detected by using Positive Technologies Application Inspector, the application security testing systemReferenceshttp://en.securitylab.ru/lab/PT-2014-80 Reports on the vulnerabilities previously discovered by Positive Research:http://www.ptsecurity.com/research/advisory/ http://en.securitylab.ru/lab/