We have been informed of a XSS vulnerability in Zen Cart 1.3.7 (and prior versions).

The vulnerability only affects those people using the special TEXT input attribute on their products.

The problem arises due to insufficient cleansing of outputs.

NOTE: we have fixed the vulnerability by specifically targeting output functions where the TEXT attribute is displayed, in both catalog and admin. This is how we have addressed possible and actual XSS vulnerabilities in the past.
We have not used global cleansing of all $_POST variables, as this may limit the functionality of various intrinsic Zen Cart operations.

A patch fix for v1.3.7 will be posted within the hour.