Thursday, May 27, 2021

Zen Cart 1.5.7 Cross Site Scripting

Advisory by Netsparker
Name: Cross-Site Scripting Vulnerability in Zen Cart 1.5.7
Affected Software: Zen Cart
Affected Versions: 1.5.7
Vulnerability: Cross-Site Scripting
Severity: High
Status: Fixed
CVSS Score (3.0): AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Netsparker Advisory Reference: NS-21-002

Technical Details

Zen Cart 1.5.7 was improperly sanitizing user input in HTTP GET parameter
names, which led to a Cross-Site Scripting (XSS) vulnerability in the admin
area. The impact of this vulnerability is lessened due to the fact that the
name of the admin panel must be set to a random or user-supplied name.

Resolution: The vulnerability is fixed in Zen Cart v1.5.7c.
Scope: It affected only users of Zen Cart v1.5.7, v1.5.7a, and v1.5.7b.
Fix: Users can consult the release announcement for guidance on applying
the patched files related to upgrading to v1.5.7c

For more information on cross-site scripting vulnerabilities read the
article Cross-site Scripting (XSS).

For more information:

Copyright © 2020 Cyber Details - Vulnerability Database™

Thanks for everything Templateism - You should have written the code a little more complicated