Full Disclosure mailing list archives

Cross-Site Scripting Vulnerability in Zen Cart 1.5.7

From: Daniel Bishtawi via Fulldisclosure <fulldisclosure () seclists org>
Date: Tue, 25 May 2021 17:43:22 +0200

Hello,

We are informing you about a Cross-Site Scripting Vulnerability in Zen Cart
1.5.7.

Here are the details:

Information
--------------------
Advisory by Netsparker
Name: Cross-Site Scripting Vulnerability in Zen Cart 1.5.7
Affected Software: Zen Cart
Affected Versions: 1.5.7
Homepage: https://www.zen-cart.com/
Vulnerability: Cross-Site Scripting
Severity: High
Status: Fixed
CVSS Score (3.0): AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Netsparker Advisory Reference: NS-21-002

Technical Details
--------------------

Zen Cart 1.5.7 was improperly sanitizing user input in HTTP GET parameter
names, which led to a Cross-Site Scripting (XSS) vulnerability in the admin
area. The impact of this vulnerability is lessened due to the fact that the
name of the admin panel must be set to a random or user-supplied name.

Resolution: The vulnerability is fixed in Zen Cart v1.5.7c.
Scope: It affected only users of Zen Cart v1.5.7, v1.5.7a, and v1.5.7b.
Fix: Users can consult the release announcement for guidance on applying
the patched files related to upgrading to v1.5.7c

For more information on cross-site scripting vulnerabilities read the
article Cross-site Scripting (XSS).

For more information:
https://www.netsparker.com/web-applications-advisories/ns-21-002-cross-site-scripting-in-zen-cart/

Regards,

Daniel Bishtawi

Marketing Administrator | Netsparker
e:  daniel.bishtawi () netsparker com

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Current thread:

Cross-Site Scripting Vulnerability in Zen Cart 1.5.7 Daniel Bishtawi via Fulldisclosure (May 25)