eCommerce Blog on Running an Online Marketplace

Critical Security Issue in CS-Cart & Multi-Vendor 4.6.1 – 4.15.1

Our partner ASAP Lab recently ran a security audit for us and discovered a security issue in CS-Cart and Multi-Vendor. The issue exists in all versions from 4.6.1 and up to 4.15.1. It can allow anyone with access to the admin / vendor panel and the block editing privilege to gain unauthorized access to the server.

We already have a solution, and it is vital to apply it as soon as possible.

How do I fix the security issue on my site?

The best way is to upgrade your CS-Cart or Multi-Vendor to version 4.15.1 SP4. If you stay on the latest version, you see the latest security fixes and improvements as soon as they are released.

What if I can’t upgrade to the latest version?

We’ve got you covered as well. If you can’t upgrade to 4.15.1.SP4, you can still fix the problem in your version.

  1. Go to the File Area in Help Desk.
  2. In the “Updates” folder, find and download the “Security Fixes for 4.6.1 – 4.15.x” add-on.
  3. Install the add-on from the archive as described in the documentation.

This add-on closes the security vulnerability in older CS-Cart and Multi-Vendor versions.

What are the risks if I don’t apply this security fix?

We see two potential exploits:

For now, exploiting this problem requires technical knowledge (around that of a programmer), the knowledge of CS-Cart architecture, and the block editing privilege. We haven’t seen any evidence of this vulnerability being used by anyone so far.

But it is still vital to apply the latest fixes as soon as possible, because the more people find out about the vulnerability, the easier it is to exploit. Discovering and exploiting the vulnerability for the first time may be difficult, but the second time is a matter of following the instruction. That’s why we go extra lengths to close the vulnerabilities as soon as we learn about them.

I already received an email about 4.15.1 SP3 before. I followed the instructions from there. Should I do anything else?

Last week we released 4.15.1 SP3 to fix security issues in CS-Cart and Multi-Vendor. We later put the upgrades on hold when we discovered that the security fix could break third-party add-ons and themes. That problem got fixed in Service Pack 4, and we updated the “Security Fixes” add-on as well. Now the upgrades ara available again.

ASAP Lab is a third party, can I trust them?

ASAP Lab is a company that specialises in hosting, performance, and security. They are our partner, and we trust them completely. Their staff have a lot of experience with CS-Cart, take security and privacy very seriously, and they regularly check CS-Cart code for vulnerabilities. ASAP Lab can also check your entire project, including server configuration, third-party add-ons, etc.

4.6 / 5 ( 13 votes )
Exit mobile version