WORK system e-commerce 4.x contains a flaw that allows a remote cross site scripting attack.  This flaw exists because the application does not validate the "day", "month", and "year" variables upon submission to the module/main.php script.  This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

References:

BID: 28785

CVE-2008-1839  

XF: 41811  

OSVDB: 44373

Secunia: 29823

Vendor Solution: Upgrade to 4.0.10