[原文]index.php in CubeCart 2.0.4 allows remote attackers to (1) obtain the full path for the web server or (2) conduct cross-site scripting (XSS) attacks via an invalid language parameter, which echoes the parameter in a PHP error message.
CubeCart contains a flaw that allows a remote cross site scripting attack.
This flaw exists because the application does not validate the 'language' variable
upon submission to the 'index.php' script. This could allow a user to create a
specially crafted URL that would execute arbitrary code in a user's browser within
the trust relationship between the browser and the server, leading to a loss of integrity.
Upgrade to version 2.0.5 or higher, as it has been reported to fix this vulnerability. In addition, CubeCart has released a patch for some older versions.