Important: CS-Cart security patch has been released

Dear CS-Cart users,

our company has just released a security patch which eliminates issues with arbitrary orders list viewing.

Although there is no way to view the detailed order information, it is strongly recommended to apply it to all your existing CS-Cart installations to avoid unauthorized viewing of your customers orders list.

Please download an appropriate version patch file from your File area and use it to overwrite /include/customer/orders.php script at all your CS-Cart stores.

Another way to update your store is to edit /include/customer/orders.php script manually .

Find the following text there:

} elseif (!empty($auth['order_ids'])) {
$query = "$db_tables[orders].order_id IN (".implode(',', $auth['order_ids']).")";

and replace it with this one:

} elseif (!empty($auth['order_ids'])) {
$query = "$db_tables[orders].order_id IN (".implode(',', $auth['order_ids']).")";
} else {

Feel free to contact our support team if you experience any problems or have any questions related to this issue.

thank you.

Am I right in thinking this is only a problem with 1.3.4? I’m running 1.3.3, am I safe?



[quote name=‘recedo’]Am I right in thinking this is only a problem with 1.3.4? I’m running 1.3.3, am I safe?


CS-Cart 1.3.3 also needs to be patched (patch if available in Customers Help Desk File Area, manual patching is the same as for 1.3.4).

okay, thanks


Thank you for your prompt attention to this problem.

Very much appreciated.


Does this affect older versions as well (still using 1.3.0)

Thanks for the update however my orders.php file does not contain that text!

I recently had the cs-cart folks upgrade me from v1.2 to 1.3.4sp2 (supposedly)

I just opened a ticket with the help desk and got a reply of “looks like you’re running v1.3.3”

Hmmmmm…you upgraded me to 1.3.4sp2 but it looks like I’m running 1.3.3???

Anyone have anything similar?




I’m a complete idiot.

Just found out I was looking at a back up of “…/orders.php”