osCommerce versions 2.2-MS1 and 2.2-MS2 allow a remote attacker to send a malformed URI that can effectively deny a user legitimate access to their account via a denial of service attack that will cause an unremovable item to be placed in the users shopping cart. These releases are also subject to SQL injection attacks and cross-site scripting problems as well.
You can download this advisory from the following link: https://packetstormsecurity.com/files/download/32397/oscommerce.txt
Source: https://packetstormsecurity.com/files/32397/oscommerce.txt.html