Trustwave researchers spotted multiple cross-site scripting (XSS) vulnerabilities in the admin section of the online store management platform Zen Cart.
If exploited a malicious person could use the vulnerability to insert custom JavaScript into a web session that could allow the attacker to impersonate the admin and have full access to the site, Trustwave Threat Intelligence Manager Karl Sigler, told SCMagazine.com via email on Tuesday.
“It's a relatively easy attack to pull off, although it typically requires some social engineering like getting the victim to click on a link,” Sigler said.
The vulnerabilities could also expose users to an attacker gaining access to cookies, sensitive information and site defacement, all of which could result in further attacks, according to a March 25 Trustwave blog.
Researchers recommend that Zen Cart users upgrade to version 1.5.5. This patches the vulnerabilities that exist in version 1.5.4 and potentially earlier versions, but have released a local patch for users who aren't able to update their systems immediately.
The update also patches an issue in the non-authenticated portion of the application, researchers said in the blog.
A single XSS vulnerability is still in the application, but researchers said exploiting the issue would require admin privileges for the application due to a cross-site request forgery protection.
Sigler said that to his knowledge the vulnerability hasn't been exploited in the wild.