Recently Trustwave notified us of possible multiple security vulnerabilities in Zen Cart Admin
he majority of these vulnerabilities were XSS and/or reflected XSS vulnerabilities.
Some background here.
There are a lot of places in Admin where we allow the input of html/script tags.
e.g. Product descriptions/Product Names/Email Sending as well as some configuration values.
While allowing these does mean there could be XSS vulnerabilities, this is further mitigated by the use of XSRF tokens in admin … and the requirement that one must be logged into the admin for this to be an issue at all.
Over a long period of discussion with Trustwave we did decide to implement a more global process of sanitizing GET/POST parameters in Admin.
Those changes can be seen in the admin/includes/init_incudes/init_sanitize.php and admin/includes/classes/AdminRequestSanitizer.php files of the new v155 release.
These files can also be used to patch v1.5.0/v1.5.1/v1.5.2/v1.5.3 and v1.5.4