Researchers spot multiple XSS vulnerabilities in Zen Cart
Researchers spot multiple XSS vulnerabilities in Zen Cart admin section
Trustwave researchers spotted multiple cross-site scripting (XSS) vulnerabilities in the admin section of the online store management platform Zen Cart.
“It's a relatively easy attack to pull off, although it typically requires some social engineering like getting the victim to click on a link,” Sigler said.
The vulnerabilities could also expose users to an attacker gaining access to cookies, sensitive information and site defacement, all of which could result in further attacks, according to a March 25 Trustwave blog.
Researchers recommend that Zen Cart users upgrade to version 1.5.5. This patches the vulnerabilities that exist in version 1.5.4 and potentially earlier versions, but have released a local patch for users who aren't able to update their systems immediately.
The update also patches an issue in the non-authenticated portion of the application, researchers said in the blog.
A single XSS vulnerability is still in the application, but researchers said exploiting the issue would require admin privileges for the application due to a cross-site request forgery protection.
Sigler said that to his knowledge the vulnerability hasn't been exploited in the wild.