Multiple vulnerabilities have been discovered in Zen Cart, which can be exploited by malicious people to conduct cross-site scripting attacks and disclose sensitive information.
1) Input passed via the "loader_file" parameter to includes/initsystem.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources via directory traversal sequences.
Successful exploitation of this vulnerability requires that "register_globals" is enabled, and that the server is not configured to use ".htaccess" files.
2) Input passed via the GET and POST parameters and files uploaded via includes/templates/template_default/common/tpl_header_test_info.php (when "flag_disable_header" is set) is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Successful exploitation of these vulnerabilities requires that "register_globals" is enabled.
3) Input passed via the "message" parameter to index.php (when "main_page" is set to "gv_send") is not properly sanitised in includes/templates/template_default/templates/tpl_gv_send_default.php before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
The vulnerabilities are confirmed in version 1.3.9h. Prior versions may also be affected.
