Network Security, Threat Management, Vulnerability Management

Researchers spot multiple XSS vulnerabilities in Zen Cart

Share

Trustwave researchers spotted multiple cross-site scripting (XSS) vulnerabilities in the admin section of the online store management platform Zen Cart.

If exploited a malicious person could use the vulnerability to insert custom JavaScript into a web session that could allow the attacker to impersonate the admin and have full access to the site, Trustwave Threat Intelligence Manager Karl Sigler, told SCMagazine.com via email on Tuesday.

“It's a relatively easy attack to pull off, although it typically requires some social engineering like getting the victim to click on a link,” Sigler said.

The vulnerabilities could also expose users to an attacker gaining access to cookies, sensitive information and site defacement, all of which could result in further attacks, according to a March 25 Trustwave blog.

Researchers recommend that Zen Cart users upgrade to version 1.5.5. This patches the vulnerabilities that exist in version 1.5.4 and potentially earlier versions, but have released a local patch for users who aren't able to update their systems immediately.

The update also patches an issue in the non-authenticated portion of the application, researchers said in the blog.

A single XSS vulnerability is still in the application, but researchers said exploiting the issue would require admin privileges for the application due to a cross-site request forgery protection.

Sigler said that to his knowledge the vulnerability hasn't been exploited in the wild. 

An In-Depth Guide to Network Security

Get essential knowledge and practical strategies to fortify your network security.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.