Markus Schader

Name of the Vulnerable Software and Affected Versions: Zen Cart version 1.5.6c Description: The issue concerns a SQL Injection vulnerability in the IT-Recht Kanzlei plugin. Specifically, the `itrk-api.php` endpoint is affected, allowing SQL Injection through the `rechtstext language` parameter. Recommendations: For Zen Cart version 1.5.6c, consider disabling the IT-Recht Kanzlei plugin until a patch is available to prevent exploitation of the SQL Injection vulnerability in the `itrk-api.php` endpoint. Restrict access to the `itrk-api.php` endpoint to minimize the risk of exploitation. Avoid using the `rechtstext language` parameter in the affected endpoint until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Zen Cart version 1.5.6d Description: The issue allows reflected XSS via the `main page` parameter to files such as `includes/templates/template default/common/tpl main page.php` or `includes/templates/responsive classic/common/tpl main page.php`. Recommendations: For Zen Cart version 1.5.6d, as a temporary workaround, consider restricting access to the `main page` parameter in the affected files until a patch is available.