In latest version of osCommerce (3.x line) I found few XSS bugs.
As they are only exploitable when admin user is logged in,
Support of osCommerce said that this is low priority bug.
It will not be published until patch release.
By the way I must say that Support Team was very fast in reply for my message,
so big plus guys! ;)