The SpiderLabs team at Trustwave published a new advisory yesterday, which details multiple vulnerabilities identified in Zen Cart (version 1.5.0). These findings include two Local File Inclusion (LFI) vulnerabilities and a Cross-Site Scripting (XSS) in the installation scripts. All of these security issues were discovered by Jonathan Claudius who is a member of the Trustwave SpiderLabs Research team.
Zen Cart has confirmed the Cross-Site Scripting (XSS) discovery and the vendor is evaluating the Local File Inclusion (LFI) vulnerabilities. The latest version of Zen Cart (1.5.0) is affected but the vendor has advised users to remove the zc_install folder after installation as a workaround. However, Trustwave SpiderLabs urges caution in situations where the Zen Cart installation script is provided as part of a default image. This is often done as a convenience on hosting providers, even incases where the client does not use the software. It is a best practice to ensure that no installation scripts are exposed to outsiders, and these vulnerabilities reinforce the importance of this step.
For more details regarding this advisory, please visit: