Multiple vulnerabilities have been identified in osCommerce application, which can be exploited by hackers to inject malicious content in vulnerable osCommerce websites.
A large scale injection attack targeting osCommerce websites is reported. Injected "<iframe>" and "<script>" pointing to malicious links will infect computers via various exploits. This attack leverages several osCommerce vulnerabilities including
- osCommerce Remote Edit Site Info Vulnerability [disclosed 10 July 2011]
- osCommerce 2.3.1 (banner_manager.php) Remote File Upload Vulnerability [disclosed 14 May 2011]
- osCommerce Online Merchant v2.2 File Disclosure And Admin ByPass Vulnerability [disclosed 30 May 2010]