We were recently notified of a security vulnerabilty regarding the sanitization of the 'notify' parameter used in Zen Cart to add product notifications to a user account.
The proof of concept could lead to an SQL injection.
To fix the vulnerability on older versions we are releasing a patch file. The patch file should be placed in your
/includes/extra_configures/ directory.
The security patch file can be downloaded from: /includes/extra_configures/security_patch_notify_20190707.php
(right click and "save link as")
or use the attachment below.
Note 1: We have only tested the patch going back to v1.3.8. Use of the patch on prior versions is not guaranteed.
Note 2: The security patch has been directly incorporated into v1.5.6c (released today) and also the v1.5.7 development branch. There are no
adverse consequences from having the security patch file in either of these versions.
Bookmarks