Avactis Shopping Cart contains a flaw that allows remote cross site scripting.  
This flaw exists because the application does not validate the "step_id" or "CHECKOUT_CZ_BLOWFISH_KEY" variables upon submission to the checkout.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

References:

BID: 31054

CVE: Pending

OSVDB: 47946

SA: 31768

Vendor Solution:Patch