Incomplete '.htaccess' blacklist filtering in osCommerce 2.3.4.1 product page allows HTML rendering in .eml files

Incomplete '.htaccess' blacklist filtering in osCommerce 2.3.4.1 product page allows HTML rendering in .eml files

CVE-2018-18966 · MEDIUM Severity

AV:N/AC:L/AU:S/C:N/I:P/A:N

osCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filtering in the "product" page. The .htaccess file in catalog/images/ bans the html extension, but Internet Explorer render HTML elements in a .eml file.

Learn more about our Web Application Penetration Testing UK.