Connect with us

Hi, what are you looking for?


Application Security

Zen Cart Patches Multiple XSS Vulnerabilities

Zen Cart on Friday released an updated version of the popular online open source shopping cart application to address multiple Cross-Site Scripting (XSS) vulnerabilities.

Zen Cart on Friday released an updated version of the popular online open source shopping cart application to address multiple Cross-Site Scripting (XSS) vulnerabilities.

The security issues were discovered by Trustwave and are said to affect Zen Cart 1.5.4 and potentially prior versions. Zen Cart released version 1.5.5 to resolve the security flaws and also introduced a new sanitization class with a number of sanitization groups, each meant to perform a defined sanitizations on specific GET/POST parameters.

According to Trustwave researchers, the XSS vulnerabilities were discovered in the admin section of Zen Cart, but one of the issues was found in the non-authenticated portion of the application. Both reflective and stored XSS flaws were affecting multiple parameters of a number of requests, and successful malicious XSS injection could result in access to cookies and sensitive information or site defacement.

One of the XSS vulnerabilities was found in the Zen Cart payment information page in the comments parameter, and was confirmed on Firefox 39, Trustwave’s advisory reveals. A comment with an invalid Redemption Code could results in a reflection of the comments in an unfiltered textarea element, and the XSS is persistent for the duration of the user’s session.

Researchers also found a Cleartext Transmission of Sensitive Information involving the password in a failed login response in Zen Cart 1.5.4. Because of this issue, when attempting a login with an invalid password, the resulting response contains that invalid password.

Additionally, multiple XSS flaws were discovered in the Zen Cart admin interface, including reflected XSS vulnerabilities in alerts that were an immediate response to the injection, persistent XSS flaws found in current scan, and other persistent XSS issues.

These vulnerabilities were discovered last year and reported to the vendor in September, but the fix for them were released only this month. Trustwave researchers note that they not only responsibly disclosed these issues to Zen Cart, but that they also worked with the vendor to resolve them and that they verified multiple versions of intermediate patches before the final release was made available.

Advertisement. Scroll to continue reading.

With the aforementioned XSS vulnerabilities resolved in Zen Cart 1.5.5, customers are advised to upgrade as soon as possible. 

 Trustwave researchers also explain that one of the discovered XSS security flaws is still present in the application. However, because of Cross-Site Request Forgery (CSRF) protection for the request, exploiting the issue would require Admin privileges for the application.

Last November, Zen Cart resolved a critical vulnerability in the application. The issue, a PHP file inclusion vulnerability, was found to affect the /ajax.php file, and was resolved by Zen Cart within 24 hours after being informed on it.

Related: RCE, SQLi Flaws Found in Popular Web Apps


Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...