There is a cross-site scripting vulnerability was discovered in AbanteCart version 1.1.5 to 1.2.7
If you run AbanteCart v1.1.5 to v1.2.7, we suggest that you apply the fix provided below:
To apply the fix is very easy and can be done 2 different ways.
Option 1: replace the file /core/lib/request.php with attached request.php
OR
Option 2: replace the line in the file
In file: /core/lib/request.php
Locate code:
public function decodeURI($uri) {
$params = array();
$open_uri = base64_decode($uri);
$split_parameters = explode('&', $open_uri);
for($i = 0; $i < count($split_parameters); $i++) {
$final_split = explode('=', $split_parameters[$i]);
$params[$final_split[0]] = $final_split[1];
}
return $parms;
}
Replace line:
return $parms;
With:
return $this->clean($params);
Fix is complete