Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Zen Cart Patches Multiple XSS Vulnerabilities

Zen Cart on Friday released an updated version of the popular online open source shopping cart application to address multiple Cross-Site Scripting (XSS) vulnerabilities.

Zen Cart on Friday released an updated version of the popular online open source shopping cart application to address multiple Cross-Site Scripting (XSS) vulnerabilities.

The security issues were discovered by Trustwave and are said to affect Zen Cart 1.5.4 and potentially prior versions. Zen Cart released version 1.5.5 to resolve the security flaws and also introduced a new sanitization class with a number of sanitization groups, each meant to perform a defined sanitizations on specific GET/POST parameters.

According to Trustwave researchers, the XSS vulnerabilities were discovered in the admin section of Zen Cart, but one of the issues was found in the non-authenticated portion of the application. Both reflective and stored XSS flaws were affecting multiple parameters of a number of requests, and successful malicious XSS injection could result in access to cookies and sensitive information or site defacement.

One of the XSS vulnerabilities was found in the Zen Cart payment information page in the comments parameter, and was confirmed on Firefox 39, Trustwave’s advisory reveals. A comment with an invalid Redemption Code could results in a reflection of the comments in an unfiltered textarea element, and the XSS is persistent for the duration of the user’s session.

Researchers also found a Cleartext Transmission of Sensitive Information involving the password in a failed login response in Zen Cart 1.5.4. Because of this issue, when attempting a login with an invalid password, the resulting response contains that invalid password.

Additionally, multiple XSS flaws were discovered in the Zen Cart admin interface, including reflected XSS vulnerabilities in alerts that were an immediate response to the injection, persistent XSS flaws found in current scan, and other persistent XSS issues.

These vulnerabilities were discovered last year and reported to the vendor in September, but the fix for them were released only this month. Trustwave researchers note that they not only responsibly disclosed these issues to Zen Cart, but that they also worked with the vendor to resolve them and that they verified multiple versions of intermediate patches before the final release was made available.

With the aforementioned XSS vulnerabilities resolved in Zen Cart 1.5.5, customers are advised to upgrade as soon as possible. 

 Trustwave researchers also explain that one of the discovered XSS security flaws is still present in the application. However, because of Cross-Site Request Forgery (CSRF) protection for the request, exploiting the issue would require Admin privileges for the application.

Last November, Zen Cart resolved a critical vulnerability in the application. The issue, a PHP file inclusion vulnerability, was found to affect the /ajax.php file, and was resolved by Zen Cart within 24 hours after being informed on it.

Related: RCE, SQLi Flaws Found in Popular Web Apps

 

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.