Security patches for vv.4.0.x-4.7.x and the release of X-Cart 4.7.2

Release of X-Cart 4.7.2

Since the previous release, we had little time to implement new features: while the X-Cart 4 Management was defining the roadmap and selecting what features to include into the nearest update, the architects were fixing the bugs from the issue tracker – this is what they’re doing regularly. But detecting a security vulnerability changed the plans and we took decision to release a new version with all the ready fixes aboard, with the primary reason being to provide a secure version to you.

The only feature-related change appeared thanks to a question about In-Context Checkout by PayPal on the Forum. We found out that the list of countries and currencies was enlarged since the moment when our integration was tested and certified by PayPal team. So we added Australia, Austria, Belgium, Canada, Denmark, Italy, Netherlands, Norway, Poland, Spain, Sweden, Switzerland, Turkey to the list of buyer’s allowed countries and the Canadian Dollar, Australian Dollar, Danish Krone, Norwegian Krone, Polish Zloty, Swedish Krona, Swiss Franc and Turkish Lira as supported currencies.

The new version is already available in the File Areas of your HelpDesk accounts and on our website.

Also, direct upgrade to v.4.7.2 is available for the users of the 4.6.x branch, the upgrade pack can be generated on page “My Licenses” in your X-Cart HelpDesk account. Remember to create a backup before upgrading the store, especially if you work with a production site!

Security patches for vv 4.0.x-4.7.1

Affected versions

All X-Cart versions from 4.0.x through 4.7.1 of all Editions ( Gold, GoldPlus, Pro, Platinum)

Impact

• XSS vulnerability on the order search page (4.7.0 and 4.7.1 only);
• XSS vulnerability on the registration page (versions 4.7.1 and earlier);
• XSS vulnerability for the Customer_Reviews/Advanced_Customer_Reviews modules (versions 4.7.1 and earlier);
• XSS Smarty vulnerability (versions 4.6.1 and earlier);
• XSS vulnerability for the Product_Configurator(Product Wizard) module (versions 4.6.1 and earlier);
• Possible SQL injection on the cart page (versions 4.7.1 and earlier);
• Hacker can gain full access to the store’s Admin back end in some cases for Platinum/Pro editions (versions 4.6.4 and earlier);
• X-Cart Protected Mode does not work in some cases (versions 4.6.4 and earlier);

Solution for vv4.0.x-4.6.6

Users of X-Cart versions 4.0.x-4.6.6 are strongly recommended to apply this patch.

Solution for vv4.7.0-4.7.1

Users of X-Cart versions 4.7.0 and 4.7.1 should implement these security fixes by applying the upgrade packs that can be generated in the “My Licenses” section of the HelpDesk accounts. The upgrade of the store is a better option ( vs simply a security patch) for the users of v 4.7.x, because in earlier versions of this branch we discovered 2 major bugs, related to categories indexing and adding a new address on the checkout page, so upgrading the stores to v.4.7.2, you’ll kill two birds with one stone.

You may have the patch applied by our engineers

The security patches application is covered by the support subscription:

• If you have one, all you need is to contact us and provide with the access info to your server via a special secure form (do not post it by email!)
• If you don’t have an active support subscription yet, you may still benefit from using the professional support services. They are available on subscription and incident basis.

Contact us