Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > April 2007 > MWR InfoSecurity release Elastic Path Advisory

April 2007

MWR InfoSecurity release Elastic Path Advisory

ID: 123
Ref: 065/2007
Date: 26 April 2007:13:10:28
Version: 1
Title: MWR InfoSecurity release Elastic Path Advisory
Abstract: Elastic Path is a Java e-commerce software platform for building online stores and shopping carts. MWR have released an advisory through CPNI relating to an embedded Cross Site Scripting vulnerability.
Elastic Path is a Java e-commerce software platform for building online stores and shopping carts. MWR have released an advisory through CPNI relating to an embedded Cross Site Scripting (XSS) vulnerability that could potentially allow remote attackers to hijack a legitimate administrator's session cookie. An attacker could exploit this vulnerability to gain unauthorised access to the Elastic Path Commerce Manager and obtain administrative privileges.

Elastic Path have addressed this vulnerability and implemented a fix in version 5.1.1. This version has not been tested.

Full Details at:
http://www.mwrinfosecurity.com/advisories/mwri_elastic-path-ecommer-manager-advisory_2007-04-25.pdf
______________________________________________________________________________

CPNI values your feedback.

1. Which of the following most reflects the value of the advisory to you?
(Place an 'X' next to your choice)

Very useful:__ Useful:__ Not useful:__

2. If you did not find it useful, why not?


3. Any other comments? How could we improve our advisories?


Thank you for your contribution.
______________________________________________________________________________

CPNI wishes to acknowledge the contributions of Rafael Domingues-Vega at MWR InfoSecurity for the information contained in this advisory.
______________________________________________________________________________



  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |