Cross-site scripting (XSS) vulnerability in zc_install/includes/modules/pages/database_setup/header_php.php in Zen Cart 1.5.0 and earlier, when the software is being installed, allows remote attackers to inject arbitrary web script or HTML via the db_username parameter to zc_install/index.php.
| Software | From | Fixed in |
|---|---|---|
| zen-cart / zen_cart | - | - |
| zen-cart / zen_cart | - | 1.5.x |
| zen-cart / zen_cart | 1.1.0 | 1.1.0.x |
| zen-cart / zen_cart | 1.1.3 | 1.1.3.x |
| zen-cart / zen_cart | 1.2.0d | 1.2.0d.x |
| zen-cart / zen_cart | 1.2.1_patch1 | 1.2.1_patch1.x |
| zen-cart / zen_cart | 1.2.1-patch1 | 1.2.1-patch1.x |
| zen-cart / zen_cart | 1.2.1d | 1.2.1d.x |
| zen-cart / zen_cart | 1.2.2d | 1.2.2d.x |
| zen-cart / zen_cart | 1.2.3d | 1.2.3d.x |
| zen-cart / zen_cart | 1.2.4.1 | 1.2.4.1.x |
| zen-cart / zen_cart | 1.2.4d | 1.2.4d.x |
| zen-cart / zen_cart | 1.2.5d | 1.2.5d.x |
| zen-cart / zen_cart | 1.2.6d | 1.2.6d.x |
| zen-cart / zen_cart | 1.3 | 1.3.x |
| zen-cart / zen_cart | 1.3.0.2 | 1.3.0.2.x |
| zen-cart / zen_cart | 1.3.2 | 1.3.2.x |
| zen-cart / zen_cart | 1.3.5 | 1.3.5.x |
| zen-cart / zen_cart | 1.3.6 | 1.3.6.x |
| zen-cart / zen_cart | 1.3.7 | 1.3.7.x |
| zen-cart / zen_cart | 1.3.8 | 1.3.8.x |
| zen-cart / zen_cart | 1.3.8a | 1.3.8a.x |
| zen-cart / zen_cart | 1.3.9 | 1.3.9.x |
| zen-cart / zen_cart | 1.3.9h | 1.3.9h.x |
| zen-cart / zen_cart | 2008 | 2008.x |