On 30/11/2009 the Zen Cart team by way of Pedro Joaquín at webvuln identified a XSS or CSRF attack vulnerability for Zen Cart, all versions.
""While XSS or CSRF attacks are difficult to trigger and may not manifest very often, it is still important to protect against the ill effects which could be caused by them.
As such, the following XSS patches are advised in order to protect yourself from a recently-reported vulnerability:
The following edits should be made to the respective files.
THESE UPDATES APPLY TO ALL VERSIONS OF ZEN CART UP TO (& including)v1.3.8a (although line numbers may vary)
NOTE: These updates should be made EVEN if you've renamed your admin folder. (Merely renaming your admin folder will NOT protect you from XSS issues.)""
This patch should be applied as quickly as possible to your carts. As with all vulnerabilities reported, the reporting actually opens the door for more issues and increased intrusion opportunities.
Please note that this is a hand edited patch and not a direct upload.
This patch is now available here (http://www.zencartwebdesign.co.uk/xss-protection-patch-nov-30-2009-p-222.html) for installation purchase.
If you Zen Cart is currently unpatched you can have it patched fully here (http://www.zencartwebdesign.co.uk/zen-cart-138-security-pci-update-full-p-223.html), which is currently on sale for £40.
Your cart under this service will be patched as outlined by Zen Cart and the tested for any obvious loss of functionality or errors as a result. Please note we will be completing this additional recommendation (http://www.zen-cart.com/forum/showthread.php?t=142784) at the same time as suggested by the Zen Cart team.
If you require us to patch your cart, you will be asked to provide admin and FTP access via our form once we receive your online order.
Please do not send access information in your order comments.