lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 25 May 2021 17:43:22 +0200
From: Daniel Bishtawi via Fulldisclosure <>
Subject: [FD] Cross-Site Scripting Vulnerability in Zen Cart 1.5.7


We are informing you about a Cross-Site Scripting Vulnerability in Zen Cart

Here are the details:

Advisory by Netsparker
Name: Cross-Site Scripting Vulnerability in Zen Cart 1.5.7
Affected Software: Zen Cart
Affected Versions: 1.5.7
Vulnerability: Cross-Site Scripting
Severity: High
Status: Fixed
CVSS Score (3.0): AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Netsparker Advisory Reference: NS-21-002

Technical Details

Zen Cart 1.5.7 was improperly sanitizing user input in HTTP GET parameter
names, which led to a Cross-Site Scripting (XSS) vulnerability in the admin
area. The impact of this vulnerability is lessened due to the fact that the
name of the admin panel must be set to a random or user-supplied name.

Resolution: The vulnerability is fixed in Zen Cart v1.5.7c.
Scope: It affected only users of Zen Cart v1.5.7, v1.5.7a, and v1.5.7b.
Fix: Users can consult the release announcement for guidance on applying
the patched files related to upgrading to v1.5.7c

For more information on cross-site scripting vulnerabilities read the
article Cross-site Scripting (XSS).

For more information:


Daniel Bishtawi

Marketing Administrator | Netsparker

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists