Information
--------------------
Advisory by Netsparker
Name: Cross-Site Scripting Vulnerability in Zen Cart 1.5.7
Affected Software: Zen Cart
Affected Versions: 1.5.7
Homepage: https://www.zen-cart.com/
Vulnerability: Cross-Site Scripting
Severity: High
Status: Fixed
CVSS Score (3.0): AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Netsparker Advisory Reference: NS-21-002
Technical Details
--------------------
Zen Cart 1.5.7 was improperly sanitizing user input in HTTP GET parameter
names, which led to a Cross-Site Scripting (XSS) vulnerability in the admin
area. The impact of this vulnerability is lessened due to the fact that the
name of the admin panel must be set to a random or user-supplied name.
Resolution: The vulnerability is fixed in Zen Cart v1.5.7c.
Scope: It affected only users of Zen Cart v1.5.7, v1.5.7a, and v1.5.7b.
Fix: Users can consult the release announcement for guidance on applying
the patched files related to upgrading to v1.5.7c
For more information on cross-site scripting vulnerabilities read the
article Cross-site Scripting (XSS).
For more information:
https://www.netsparker.com/web-applications-advisories/ns-21-002-cross-site-scripting-in-zen-cart/
