During internal security audit a critical security issue has been detected in X-Cart. The issue makes the software vulnerable to attackers who wish to gain access to the server file system. The solution is to remove an affected file.

SEVERITY

Critical

IMPACT

A malicious user can execute his own shell commands and, as a result, gain access to the server file system.

AFFECTED VERSIONS

X-Cart versions from 4.1.0 to 4.1.11. All X-Cart customers who are using these versions are encouraged to apply the fix described below.

SOLUTION

Delete the ‘<xcart_dir>/payment/cc_basia.php’ file.
This file refers to an outdated integration of ‘Bank of Asia’ payment gateway, so its deletion will not cause any problems and will not affect your stores.
The ‘<xcart_dir>’ text means the server directory in which your X-Cart is installed.
You can delete this file using FTP, SSH or the hosting control panel file manager.

NOTE: If you use a custom integration of ‘Bank of Asia’ payment gateway or ‘<xcart_dir>/payment/cc_basia.php’ script, you should contact our support team for free help.

If you have any questions or concerns, please do not hesitate to contact Just X-Cart