Following a bug report from Roel Zeilstra at Sterc, we have identified two related persistent cross site scripting vulnerabilities in SimpleCart. The issue is fixed in v2.3.0-rc5.
This vulnerability requires administrator access and a SimpleCart Options TV input type to be defined or created.
The two identified XSS vulnerabilities are:
We consider these low severity vulnerabilities as they require manager access to exploit. As they could theoretically be used by a lower level admin to gain additional permissions or execute other actions in the session of a higher level admin, we strongly recommend upgrading to 2.3.0-rc5.
Timeline for these vulnerabilities:
First bug report: July 20th
Bug researched further and XSS vectors identified: August 8th
Vulnerabilities fixed: August 8th
Patch release available: August 31st, v2.3.0-rc5
Security Advisory published: September 14th
The upgrade to SimpleCart 2.3.0-rc5 is free for all existing SimpleCart users. For users that have not yet migrated their licenses to modmore, please visit [Migrate SimpleCart licenses to modmore] for instructions.