Several moderate security issues have been identified in X-Cart. The issues make X-Cart-based stores potentially vulnerable to attackers who wish to make the application inoperable or gain access to the application back-end.

Qualiteam has released the security update which includes the following improvements.

All versions:

- the way adding/updating users worked, which was introduced in the previous patch, is changed,

- protection against SQL errors in case of a wrong productID is added (except versions 4.1.4 - 4.1.10),

- protection against SQL injections during inventory updating is added.

4.0.x branch:

- session variables are now protected from modifications using POST and GET queries,

- for versions 4.0.10 - 4.0.19, the previous patch did not work for stores run in Windows environment. It is now corrected.

4.1.x. branch:

- session variables are now protected from modifications using POST and GET queries,

- the previous patch did not work for stores run in Windows environment. It is now corrected,

- protection for unauthorized access to files using the GiftCertificate module is added,

- (for 4.1.9, 4.1.10) protection against XSS attacks, introduced by the previous patch, is improved,

- (for 4.1.0 - 4.1.8), an error revealed in the previous patch (use of a undeclared function) is fixed.

SEVERITY: Moderate

IMPACT

A malicious user can make an X-Cart-based store inoperable or gain access to the application back- end and sensitive information stored in the users profiles.

AFFECTED VERSIONS

All X-Cart versions from 3.5.X to 4.1.10

SOLUTION

We strongly recommend X-Cart users to install the security fix available in the HelpDesk ‘File Area’. Installation instructions can be found in the README.txt file attached to the .tgz archive.

IMPORTANT!

This security patch MUST be applied only after the previous security patch has been applied.

Should you require any assistance, please do not hesitate to contact Just X-Cart