Light cross-site scripting vulnerability has been detected in AbanteCart.
Detected vulnerability does not cause any harm to AbanteCart or content.
To fix the problem, please read below.
Effected versions: Up to 1.1.3
About Risk: This is a low risk cross-site scripting vulnerability. Not potential harm to code, database or server structure.
About the fix:
Fix is only 1 file that can be replaces or change manually
Option 1 (version 1.1.3):
Locate file: /core/engine/html.php and replace with attached file
Option 2 (prior to version 1.1.3)
Locate and open file: /core/engine/html.php
Locate below code (about line # 114)
public function removeQueryVar($url, $vars) {
list($url_part, $q_part) = explode('?', $url);
parse_str($q_part, $q_vars);
if (!is_array($vars)) {
$vars = array( $vars );
}
foreach ($vars as $v)
unset($q_vars[ $v ]);
$new_qs = urldecode(http_build_query($q_vars));
return $url_part . '?' . $new_qs;
}
Replace with below code:
public function removeQueryVar($url, $vars) {
list($url_part, $q_part) = explode('?', $url);
parse_str($q_part, $q_vars);
if (!is_array($vars)) {
$vars = array( $vars );
}
foreach ($vars as $v)
unset($q_vars[ $v ]);
foreach ($q_vars as $key => $value)
$q_vars[$key] = $this->request->clean($value);
$new_qs = urldecode(http_build_query($q_vars));
return $url_part . '?' . $new_qs;
}
This issue is toughly addressed and eliminated in coming version of AbanteCart
