Its a known vulnerability in WCS 6.x as Hacker can inject the script using a crafted URL with invalid parameters. Though WCS is able to identify that its cross site scripting attempt using XSiteProtection but still it forwards to the input validation error page -
com.ibm.commerce.context.exception.BusinessContextException:
The input catalog id for the catalog context is not a valid number.
and if application is displaying the invalid parameter in the error page, the script gets executed.
Though in logs we can see
CrossSiteScriptingHelper handle CMN0522E: The request cannot be processed because it contains prohibited characters.
but still it pass through this and then shows the invalid input page. The problem is due to the precedence of Invalid input exception over security exception resulting in this vulnerability.
This has been fixed in WCS 7.0.
http://xforce.iss.net/xforce/xfdb/62952
Till the time one doesn't move to WCS 7, they can fix by sanitizing the JSP -
1. exclude invalid parameter , error stack trace etc
2. or use JSTL
3. or replace all occurrences of malicious keywords ( script etc ) before rendering the html.
Related Post - What is Cross Site Scritping or XSS ?
http://techsharepoint.blogspot.com/2012/10/hack-hacker-cross-site-scripting-xss.html