Sorry if you're getting multiple notifications on my messages. They just seem to keep getting lost (or I'm just incapable of using the internet properly)
The problem with these scanners is that many of them just try to err on the side of reporting too many issues instead of too less. So it is possible that you will be getting false positives.
The specific issue it flagged is a very old issue and deals with a file called default.php. Search your codebase for a file like that and if something turns up, then you can investigate further. The link I posted above to ExploitDB gives you a decent idea of what that warning is all about without getting too technical.
You could grep your root folder as the headers of osCommerce files are signed.
5 osCommerce, Open Source E-Commerce Solutions 6 http://www.oscommerce.com 7 8 Copyright (c) 2003 osCommerce
So something like:
grep "osCommerce\|oscommerce" /var/www/vhosts/somesitename/httpdocs/*
Obviously changing the path to your root folder as it could be set up different.
Alternatively you could try a locate for specific files within the osCommerce install here is a list of the files in version 2.2 http://www.oscdox.com/crossx/nav.html?_functions/index.html
find -name "login.php"
The specific vulnerability exists in a file called default.php. Maybe you have a file of the same name with the same vulnerability and it is miscategorizing it?
Can you try this also and report back?
find -name "default.php"