Network Security, Threat Management, Vulnerability Management

Researchers spot multiple XSS vulnerabilities in Zen Cart

Trustwave researchers spotted multiple cross-site scripting (XSS) vulnerabilities in the admin section of the online store management platform Zen Cart.

If exploited a malicious person could use the vulnerability to insert custom JavaScript into a web session that could allow the attacker to impersonate the admin and have full access to the site, Trustwave Threat Intelligence Manager Karl Sigler, told via email on Tuesday.

“It's a relatively easy attack to pull off, although it typically requires some social engineering like getting the victim to click on a link,” Sigler said.

The vulnerabilities could also expose users to an attacker gaining access to cookies, sensitive information and site defacement, all of which could result in further attacks, according to a March 25 Trustwave blog.

Researchers recommend that Zen Cart users upgrade to version 1.5.5. This patches the vulnerabilities that exist in version 1.5.4 and potentially earlier versions, but have released a local patch for users who aren't able to update their systems immediately.

The update also patches an issue in the non-authenticated portion of the application, researchers said in the blog.

A single XSS vulnerability is still in the application, but researchers said exploiting the issue would require admin privileges for the application due to a cross-site request forgery protection.

Sigler said that to his knowledge the vulnerability hasn't been exploited in the wild. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.