[原文]Multiple cross-site scripting (XSS) vulnerabilities in (1) comersus_supportError.asp or (2) comersus_backofficelite_supportError.asp in BackOffice Lite 6.0 and 6.01 allow remote attackers to inject arbitrary web script or HTML via the error parameter.
[CNNVD]BackOffice Lite comersus_supportError.asp comersus_backofficelite_supportError.asp跨站脚本攻击(XSS)漏洞(CNNVD-200505-702)
BackOffice Lite 6.0和6.01中的(1)comersus_supportError.asp或(2)comersus_backofficelite_supportError.asp中存在跨站脚本攻击(XSS)漏洞，远程攻击者可以通过错误参数来注入任意Web脚本或HTML。
Comersus ASP Shopping Cart comersus_supportError.asp error Parameter XSS
Remote / Network Access
Loss of Integrity
ASP Shopping Cart contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the error variable upon submission to the comersus_supportError.asp script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
Upgrade to version 6.0.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.