Yasser Ali

**Name of the Vulnerable Software and Affected Versions** X-Cart versions 5.1.6 through 5.1.10 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML. This is achieved via the `substring` parameter in the "admin.php" file. **Recommendations** For X-Cart versions 5.1.6 through 5.1.10, consider restricting access to the admin.php file until a patch is available. As a temporary workaround, avoid using the `substring` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** X-Cart versions prior to 5.1.11 **Description** The issue allows remote authenticated users to read or delete address data of arbitrary accounts. This can be achieved by sending a modified request to either update or remove address data. **Recommendations** For versions prior to 5.1.11, update to version 5.1.11 or later to resolve the issue.