The security issues were discovered by Trustwave and are said to affect Zen Cart 1.5.4 and potentially prior versions. Zen Cart released version 1.5.5 to resolve the security flaws and also introduced a new sanitization class with a number of sanitization groups, each meant to perform a defined sanitizations on specific GET/POST parameters.
According to Trustwave researchers, the XSS vulnerabilities were discovered in the admin section of Zen Cart, but one of the issues was found in the non-authenticated portion of the application. Both reflective and stored XSS flaws were affecting multiple parameters of a number of requests, and successful malicious XSS injection could result in access to cookies and sensitive information or site defacement.
One of the XSS vulnerabilities was found in the Zen Cart payment information page in the comments parameter, and was confirmed on Firefox 39, Trustwave’s advisory reveals. A comment with an invalid Redemption Code could results in a reflection of the comments in an unfiltered textarea element, and the XSS is persistent for the duration of the user’s session.
Researchers also found a Cleartext Transmission of Sensitive Information involving the password in a failed login response in Zen Cart 1.5.4. Because of this issue, when attempting a login with an invalid password, the resulting response contains that invalid password.
Additionally, multiple XSS flaws were discovered in the Zen Cart admin interface, including reflected XSS vulnerabilities in alerts that were an immediate response to the injection, persistent XSS flaws found in current scan, and other persistent XSS issues.
These vulnerabilities were discovered last year and reported to the vendor in September, but the fix for them were released only this month. Trustwave researchers note that they not only responsibly disclosed these issues to Zen Cart, but that they also worked with the vendor to resolve them and that they verified multiple versions of intermediate patches before the final release was made available.
With the aforementioned XSS vulnerabilities resolved in Zen Cart 1.5.5, customers are advised to upgrade as soon as possible.
Trustwave researchers also explain that one of the discovered XSS security flaws is still present in the application. However, because of Cross-Site Request Forgery (CSRF) protection for the request, exploiting the issue would require Admin privileges for the application.