Dear X-Cart,
About a month ago, you dropped a security patch...
security-patch-2013-10-08
May I ask WHY there were no announcements, no emails, no posts or notices of any kind about this? May I ask how you expected users to learn about this security patch?
Quote:
IMPACT
- XSS vulnerability for the Product_Configurator(Product Wizard) module (<= 4.6.1);
- XSS vulnerability for the Feature_Comparison module (<= 4.6.0);
- In some cases, customers can view orders of other customers (<= 4.6.0);
- Hacker can gain full access to the store's Admin back end through the 'Hidden Categories' module (<=4.6.0);
- Potential XSS vulnerability for some modules and product catalogs in the Customer area (<=4.5.5);
|
SO -- does this mean that if we do not use these modules, we can skip it?
Product_Configurator
Feature_Comparison
Hidden Categories
Quote:
|
- Potential XSS vulnerability for some modules and product catalogs in the Customer area
|
What modules? Under what circumstances?
A thorough discussion of this patch would be appreciated.