admin
01-28-2005, 12:19 PM
X-CART SECURITY BULLETIN
http://www.x-cart.com/
January 26th, 2005
Dear Customer,
This bulletin contains the latest security advisory for X-Cart users.
DESCRIPTION:
Recently several vulnerabilities of Cross Site Scripting (CSS) nature were discovered in X-Cart software. The vulnerability is caused by insufficient validation of input data. It can be exploited if a malicious person lures a customer to click on a specially crafted link located on a third party site or inside an email message that leads to the site with X-Cart software. This can result in a third party HTML or JavaScript code getting executed in the customer's browser that can be used for password or email fishing.
No remote access or unauthorized data disclosure can be gained as a direct result of this vulnerability.
SEVERITY:
Moderate
CONDITIONS:
Using IE browser.
IMPACT:
Third party HTML code or JavaScript can be injected and executed in the customer's browser if he follows a specially crafted link provided by a malicious person.
AFFECTED VERSIONS:
X-Cart versions since 3.3.0 up to 4.0.11
SOLUTION:
If your version is affected by this issue:
1) Download the patch archive file <xcart_security_fix_3.3.0-4.0.11_20050127.tgz> from your personal Help Desk account at https://secure.qualiteam.biz/ (Updates section of the file area)
2) Uncompress the archive.
3) Replace the script file 'globals.php' or 'prepare.php' (depending on the version of your X-Cart) located in the root directory of your X-Cart installation with an updated version of this file from the uncompressed archive folder (by overwriting).
The archive file <xcart_security_fix_3.3.0-4.0.11_20050127.tgz> contains fixes for all the affected versions.
http://www.x-cart.com/
January 26th, 2005
Dear Customer,
This bulletin contains the latest security advisory for X-Cart users.
DESCRIPTION:
Recently several vulnerabilities of Cross Site Scripting (CSS) nature were discovered in X-Cart software. The vulnerability is caused by insufficient validation of input data. It can be exploited if a malicious person lures a customer to click on a specially crafted link located on a third party site or inside an email message that leads to the site with X-Cart software. This can result in a third party HTML or JavaScript code getting executed in the customer's browser that can be used for password or email fishing.
No remote access or unauthorized data disclosure can be gained as a direct result of this vulnerability.
SEVERITY:
Moderate
CONDITIONS:
Using IE browser.
IMPACT:
Third party HTML code or JavaScript can be injected and executed in the customer's browser if he follows a specially crafted link provided by a malicious person.
AFFECTED VERSIONS:
X-Cart versions since 3.3.0 up to 4.0.11
SOLUTION:
If your version is affected by this issue:
1) Download the patch archive file <xcart_security_fix_3.3.0-4.0.11_20050127.tgz> from your personal Help Desk account at https://secure.qualiteam.biz/ (Updates section of the file area)
2) Uncompress the archive.
3) Replace the script file 'globals.php' or 'prepare.php' (depending on the version of your X-Cart) located in the root directory of your X-Cart installation with an updated version of this file from the uncompressed archive folder (by overwriting).
The archive file <xcart_security_fix_3.3.0-4.0.11_20050127.tgz> contains fixes for all the affected versions.