Critical Security Issue in CS-Cart Detected

Earlier this week, we sent an email about this issue.

We received word of a major security issue in all versions of CS-Cart 4, including 4.16.2. This vulnerability could potentially let an attacker upload a PHP file to the server and execute it. We are not disclosing more details, because to our knowledge, the vulnerability hasn’t been exploited yet.

You have 2 ways to close the vulnerability:

• If you’re using CS-Cart 4.16.2, upgrade to 4.16.2 SP1. It should be available in your Upgrade Center.

• If you can’t upgrade to version 4.16.2 SP1, you can still fix the problem in your version. Find the “Security Fixes (August 2023) for 4.3.1 - 4.16.x” add-on in the “Updates” folder in the File Area in Help Desk. Download it and install the add-on from the archive.

This patch is a must-have if you use CS-Cart Multi-Vendor. For CS-Cart Store Builder this issue is not so crucial, but you can still follow the instructions and the store will become a little safer.

P.S. If you use Multi-Vendor No-Code, we’ve already applied the fix for you.

please detail the vulnerabilities found, because, even if you do not yet have information about exploited vulnerabilities, we have had exactly these problems for approx. 2 weeks, 2 online stores that have affected and infected php files.

/config.php
/js/tygh/core.js
/app/controllers/common/elf_connector.php
/app/lib/vendor/composer/autoload_real.php
/app/lib/vendor/composer/autoload_static.php
/app/lib/vendor/autoload.php
/app/addons/email_marketing/lib/vendor/composer/autoload_real.php
/app/addons/email_marketing/lib/vendor/composer/autoload_static.php
/app/addons/email_marketing/lib/vendor/autoload.php
/app/addons/storefront_rest_api/lib/vendor/composer/autoload_real.php
/app/addons/storefront_rest_api/lib/vendor/composer/autoload_static.php
/app/addons/storefront_rest_api/lib/vendor/autoload.php
/app/Tygh/ElFinder/Volume.php this files