XCart 5.2.6 Cross Site Scripting

`Security Advisory - Curesec Research Team  
  
1. Introduction  
  
Affected Product: XCart 5.2.6  
Fixed in: 5.2.7  
Fixed Version Link: https://www.x-cart.com/xc5kit  
Vendor Contact: [email protected]  
Vulnerability Type: XSS  
Remote Exploitable: Yes  
Reported to vendor: 08/13/2015  
Disclosed to public: 11/04/2015  
Release mode: Coordinated release  
CVE: n/a  
Credits Tim Coen of Curesec GmbH  
  
2. Vulnerability Description  
  
There are multiple XSS vulnerabilities in the dialog.php file. This allows an  
attacker to execute arbitrary JavaScript in the context of the browser of a  
victim if the victim clicks on an attacker supplied link or visits an attacker  
controlled website. With this, it is possible to bypass CSRF protection and  
thus do anything the victim can do, inject a JavaScript keylogger, or perform  
phishing attacks.  
  
3. Proof of Concept  
  
  
http://localhost/anew/xcart/skins/admin/en/modules/CDev/TinyMCE/js/tinymce/plugins/filemanager/dialog.php?editor="><script>alert(1)</script>&lang="><script>alert(2)</script>&field_id="><script>alert(3)</script>&fldr="><script>alert(4)</script>&type="><script>alert(5)</script>  
  
4. Solution  
  
To mitigate this issue please upgrade at least to version 5.2.7:  
  
https://www.x-cart.com/xc5kit  
  
Please note that a newer version might already be available.  
  
5. Report Timeline  
  
08/13/2015 Informed Vendor about Issue  
09/03/2015 Vendor Requests more time  
10/19/2015 Vendor releases fix  
11/04/2015 Disclosed to public  
  
  
Blog Reference:  
http://blog.curesec.com/article/blog/XCart-526-XSS-84.html  
  
  
`