News and announcements

Critical Security Issue in CS-Cart & Multi-Vendor 4.6.1 – 4.15.1

Alisa Maksina

Our partner ASAP Lab recently ran a security audit for us and discovered a security issue in CS-Cart and Multi-Vendor. The issue exists in all versions from 4.6.1 and up to 4.15.1. It can allow anyone with access to the admin / vendor panel and the block editing privilege to gain unauthorized access to the server.

We already have a solution, and it is vital to apply it as soon as possible.

How do I fix the security issue on my site?

The best way is to upgrade your CS-Cart or Multi-Vendor to version 4.15.1 SP4. If you stay on the latest version, you see the latest security fixes and improvements as soon as they are released.

What if I can’t upgrade to the latest version?

We’ve got you covered as well. If you can’t upgrade to 4.15.1.SP4, you can still fix the problem in your version.

  1. Go to the File Area in Help Desk.
  2. In the “Updates” folder, find and download the “Security Fixes for 4.6.1 – 4.15.x” add-on.
  3. Install the add-on from the archive as described in the documentation.

This add-on closes the security vulnerability in older CS-Cart and Multi-Vendor versions.

What are the risks if I don’t apply this security fix?

We see two potential exploits:

  • An admin of yours (or someone who gains access to their account) could potentially steal more data than you allowed that admin to see. This applies both to CS-Cart and Multi-Vendor.
  • A seller at your marketplace (someone with the vendor account) could also potentially gain access to the data not meant for them. This applies only to Multi-Vendor, is harder to pull off, but riskier to allow—especially if you don’t vet your sellers before giving them access to the vendor panel.

For now, exploiting this problem requires technical knowledge (around that of a programmer), the knowledge of CS-Cart architecture, and the block editing privilege. We haven’t seen any evidence of this vulnerability being used by anyone so far.

But it is still vital to apply the latest fixes as soon as possible, because the more people find out about the vulnerability, the easier it is to exploit. Discovering and exploiting the vulnerability for the first time may be difficult, but the second time is a matter of following the instruction. That’s why we go extra lengths to close the vulnerabilities as soon as we learn about them.

I already received an email about 4.15.1 SP3 before. I followed the instructions from there. Should I do anything else?

Last week we released 4.15.1 SP3 to fix security issues in CS-Cart and Multi-Vendor. We later put the upgrades on hold when we discovered that the security fix could break third-party add-ons and themes. That problem got fixed in Service Pack 4, and we updated the “Security Fixes” add-on as well. Now the upgrades ara available again.

  • If you upgraded to 4.15.1 SP3, then upgrade to SP4 as well, for better compatibility with third-party add-ons and themes.
  • If you installed the “Security Fixes” add-on, then redownload the add-on from Help Desk and install it again, following the same steps as before. The new add-on will overwrite the old one, so you don’t even need to uninstall the old add-on.

ASAP Lab is a third party, can I trust them?

ASAP Lab is a company that specialises in hosting, performance, and security. They are our partner, and we trust them completely. Their staff have a lot of experience with CS-Cart, take security and privacy very seriously, and they regularly check CS-Cart code for vulnerabilities. ASAP Lab can also check your entire project, including server configuration, third-party add-ons, etc.