Popular open source shopping cart app Zen Cart is warning its users of dozens of cross-site scripting vulnerabilities found in its software. Affected websites, security experts say, risk exposing customers to malware, theft of cookies data and site defacement. Researchers at the security firm Trustwave discovered the vulnerabilities in September 2015 and have worked closely with Zen Cart to update the (1.5.4) shopping cart software. On March 17, Zen Cart released a 1.5.5 update to its software along with a patch for previous versions of Zen Cart, for those customers that wanted to continue using the older platform. Public disclosure of the vulnerability was on Friday.
“We have no indication that any Zen Cart customers were impacted,” said Chris Brown, co-founder Zen Cart. Brown said Zen Cart had numerous preexisting security measures put in place that would of made any potential cross-site scripting (XSS) vulnerability extremely hard to execute. Zen Cart, with an estimated 113,000 active users (according to BuiltWith.com), has told its users they will have to pro-actively install the patch. Affected customers told Threatpost that Zen Cart has notified them of the vulnerability offering patching and update options. “We were told well ahead of time about the XSS vulnerability and received an (software) update as soon as it was available for download,” said Judy Gunderson, a web designer with Gunderson Ventures who has approximately 100 Zen Cart customers. For its part, Trustwave told Threatpost that 50 XSS vulnerabilities were found in the admin section of the Zen Cart software along with one issue in the non-authentication portion of the application. “Our researchers found both reflective and stored XSS in multiple parameters of number of requests. Malicious cross-site scripting injections could result in access to cookies, sensitive information and site defacement, which can result into further attacks,” wrote Trustwave researcher Sriram Akurati in the public disclosure of the XSS vulnerability. “We discovered the XSS on Zen Cart in a completely random manner,” said Alex Rothacker, senior security research at Trustwave. “We have a monthly Hack Friday event where the team goes ahead a picks something and tries to find vulnerabilities. In this case, one team member picked Zen Carts, because it was a popular solution.”