Trustwave's 2024 Retail Report Series Highlights Alarming E-Commerce Threats and Growing Fraud Against Retailers. Learn More
Get access to immediate incident response assistance.
Get access to immediate incident response assistance.
Trustwave's 2024 Retail Report Series Highlights Alarming E-Commerce Threats and Growing Fraud Against Retailers. Learn More
The SpiderLabs team at Trustwave published a new advisory yesterday, which details multiple vulnerabilities identified in Zen Cart (version 1.5.0). These findings include two Local File Inclusion (LFI) vulnerabilities and a Cross-Site Scripting (XSS) in the installation scripts. All of these security issues were discovered by Jonathan Claudius who is a member of the Trustwave SpiderLabs Research team.
Zen Cart has confirmed the Cross-Site Scripting (XSS) discovery and the vendor is evaluating the Local File Inclusion (LFI) vulnerabilities. The latest version of Zen Cart (1.5.0) is affected but the vendor has advised users to remove the zc_install folder after installation as a workaround. However, Trustwave SpiderLabs urges caution in situations where the Zen Cart installation script is provided as part of a default image. This is often done as a convenience on hosting providers, even incases where the client does not use the software. It is a best practice to ensure that no installation scripts are exposed to outsiders, and these vulnerabilities reinforce the importance of this step.
Trustwave SpiderLabs has deployed protections for this finding in the ModSecurity Commercial Rules Feed and the TrustKeeper vulnerability scanning solution has been updated to detect this finding.
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.
Copyright © 2024 Trustwave Holdings, Inc. All rights reserved.