CVE-2004-2411

VP-ASP Shopping Cart 4.0-5.0 - Cross-Site Scripting via IMG Tag in cat or msg Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2004-2411. PoCs published by Thomas Ryan.

AI-analyzed exploit summary This exploit demonstrates a cross-site scripting (XSS) vulnerability in VP-ASP's 'shoperror.asp' script due to improper sanitization of user-supplied input in the 'msg' parameter. The PoC includes URLs that trigger XSS via injected JavaScript and meta refresh tags.

Description

The CleanseMessage function in shop$db.asp for VP-ASP Shopping Cart 4.0 through 5.0 does not sufficiently cleanse inputs, which allows remote attackers to conduct cross-site scripting (XSS) attacks that do not use <script> tags, as demonstrated via javascript in IMG tags to (1) the cat parameter in shopdisplayproducts.asp or (2) the msg parameter in shoperror.asp, and possibly other vectors.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Thomas Ryan · textwebappsasp
https://www.exploit-db.com/exploits/24198

This exploit demonstrates a cross-site scripting (XSS) vulnerability in VP-ASP's 'shoperror.asp' script due to improper sanitization of user-supplied input in the 'msg' parameter. The PoC includes URLs that trigger XSS via injected JavaScript and meta refresh tags.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: VP-ASP versions 5.0 and prior
No auth needed
Prerequisites: Access to the target VP-ASP application
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8
Core References
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/11846
Exploit, Patch, Vendor Advisory x_refsource_misc
http://www.providesecurity.com/research/advisories/06142004-01.asp
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/6949
Patch vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/10530
Exploit, Patch vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/10534
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/16411
Exploit, Patch, Vendor Advisory mailing-list x_refsource_fulldisc
http://archives.neohapsis.com/archives/fulldisclosure/2004-06/0363.html

Scores

EPSS 0.0219
EPSS Percentile 80.2%

Details

Status published
Products (3)
virtual_programming/vp-asp 4.0
virtual_programming/vp-asp 4.50
virtual_programming/vp-asp 5.0
Published Dec 31, 2004
Tracked Since Feb 18, 2026