Whilst reading on XSS attacks today, I found this recently reported exploit in CubeCart 4 that can gain an attacker full administrative access to the store.
Not only that, it can help them dump your entire store DB – products, cats, users, orders, the works. Anyway, you get the idea. “CubeCart responded and informed their customers about this vulnerability” – as technical advisor for a site that runs on CC4, I can testify to the fact that the site owners were not informed of any such. Nice.
The forum announcement is automatically displayed in the admin control panel of EVERY CubeCart store. You can’t get a more direct message across than that.
thank you for that, the client had expected to receive this in an email. to be honest, a store owner that only understands about selling their products and providing customer support is unlikely to read the technical announcements. I think for the average person that runs a store, anything short of a threatening email will be considered a failure to grab their attention.
Yes I agree an email notification would have been good as an extra communication tool also. This is not an easy exploit to do so the risk shouldn’t be significant. We ought to have a number of different mailing lists. Security notifications, partner offers etc…
in the immortal words of microsoft, “this vulnerability is only theoretical”
as for the mail list, i think that’s a great idea, i’d subscribe to it but you should always send these to the principle account holders – it will also be a more pro-active way to get people to upgrade / upsell.
New Internet Explorer Vulnerability that can’t be fixed…
[…]talked about vulnerabilities in Microsoft[…]…