[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAKD6+R4VBChRHTwP-anfPK4XcDr6+FybKFG-iSOACcSTdxZw3w@mail.gmail.com>
Date: Tue, 25 May 2021 17:43:22 +0200
From: Daniel Bishtawi via Fulldisclosure <fulldisclosure@...lists.org>
To: fulldisclosure@...lists.org, vuln@...unia.com, bugs@...uritytracker.com,
submissions@...ketstormsecurity.org
Subject: [FD] Cross-Site Scripting Vulnerability in Zen Cart 1.5.7
Hello,
We are informing you about a Cross-Site Scripting Vulnerability in Zen Cart
1.5.7.
Here are the details:
Information
--------------------
Advisory by Netsparker
Name: Cross-Site Scripting Vulnerability in Zen Cart 1.5.7
Affected Software: Zen Cart
Affected Versions: 1.5.7
Homepage: https://www.zen-cart.com/
Vulnerability: Cross-Site Scripting
Severity: High
Status: Fixed
CVSS Score (3.0): AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Netsparker Advisory Reference: NS-21-002
Technical Details
--------------------
Zen Cart 1.5.7 was improperly sanitizing user input in HTTP GET parameter
names, which led to a Cross-Site Scripting (XSS) vulnerability in the admin
area. The impact of this vulnerability is lessened due to the fact that the
name of the admin panel must be set to a random or user-supplied name.
Resolution: The vulnerability is fixed in Zen Cart v1.5.7c.
Scope: It affected only users of Zen Cart v1.5.7, v1.5.7a, and v1.5.7b.
Fix: Users can consult the release announcement for guidance on applying
the patched files related to upgrading to v1.5.7c
For more information on cross-site scripting vulnerabilities read the
article Cross-site Scripting (XSS).
For more information:
https://www.netsparker.com/web-applications-advisories/ns-21-002-cross-site-scripting-in-zen-cart/
Regards,
Daniel Bishtawi
Marketing Administrator | Netsparker
e: daniel.bishtawi@...sparker.com
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists