I am writing to inform you of multiple persistent XSS issues within the ecommerce module (https://code.google.com/p/silverstripe-ecommerce/) of SilverStripe CMS. These issues have been fixed without a corresponding release note or other indication of a security advisory. The author has been unresponsive about what version numbers contain the fixes so I am instead posting a link to the fix in case anyone wants to check/patch their site. https://code.google.com/p/silverstripe-ecommerce/source/detail?r=3739 Specifically there were some places where user-controlled profile values were rendered without being sanitized. This could be exploited by an attacker who establishes an account using their victim's email address or an attacker who gains access to their victim's account by any other means. In these situations the attacker could insert XSS payloads which would execute if the victim subsequently logs into the account. The issue is tracked as CVE-2012-6458. Thanks, Craig Young @CraigTweets
