CVE-2010-1486

CactuShop < 6.155 - Stored Cross-Site Scripting via Billing or Shipping Address

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2010-1486. PoCs published by 7Safe.

AI-analyzed exploit summary This advisory describes a persistent XSS vulnerability in CactuShop's _invoice.asp file, where malicious input in billing/shipping addresses is not sanitized. The fix involves using the WriteSafe function to HTML-encode user input.

Description

Multiple cross-site scripting (XSS) vulnerabilities in _invoice.asp in CactuShop before 6.155 allow remote attackers to inject arbitrary web script or HTML via the (1) billing address or (2) shipping address.

Exploits (1)

exploitdb WRITEUP VERIFIED
by 7Safe · textwebappsasp
https://www.exploit-db.com/exploits/12329

This advisory describes a persistent XSS vulnerability in CactuShop's _invoice.asp file, where malicious input in billing/shipping addresses is not sanitized. The fix involves using the WriteSafe function to HTML-encode user input.

Classification
Writeup 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: CactuShop v6.1 and older
Auth required
Prerequisites: User account to submit malicious input · Admin interaction to trigger the payload
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/39587

Scores

EPSS 0.0120
EPSS Percentile 64.2%

Details

CWE
CWE-79
Status published
Products (9)
cactushop/cactushop 3
cactushop/cactushop 4
cactushop/cactushop 4.1
cactushop/cactushop 4.5
cactushop/cactushop 4.6
cactushop/cactushop 4.7
cactushop/cactushop 5.0
cactushop/cactushop 5.1
cactushop/cactushop < 6.1
Published Apr 22, 2010
Tracked Since Feb 18, 2026