During internal audit activities several moderate security issues have been detected in X-Cart. The issues make the software potentially
vulnerable to attackers who wish to gain access to the application back-end. The solution is to apply the update released by Qualiteam.

SEVERITY

Moderate

IMPACT

A malicious user can redeclare used variables, execute his own php code and, as a result, gain access to the application back-end, store database and server file system.

AFFECTED VERSIONS

All X-Cart versions from 4.0.0 to 4.1.11

SOLUTION

We strongly recommend X-Cart users to install the security fix available in the HelpDesk ‘File Area’.
The following security improvements are included in the patch:
– protection from unallowed access to back-end, store database and server file system, using GET or POST queries (formed in a special way) has been added.
– an extra protection level against SQL injections has been added.

Where to download the patch:

Please, check your File Area:
* For X-Cart 4.1.11 version:
check folders X-Cart -> X-Cart 4.1.11 (current version) -> Updates and patches

* For X-Cart 4.0.0 – 4.1.10 versions:
check folders X-Cart -> X-Cart supporting files for prev versions -> {Your X-Cart branch} -> {Your X-Cart version} -> Updates and patches

Installation instructions can be found in the README.txt file attached to the .tgz archive.

NOTE:
If you are using X-Cart versions 4.1.0 – 4.1.11, please, ensure you had installed all the previous security fixes *prior to* applying this new patch.

Should you require any assistance, please do not hesitate to contact Just X-Cart