X-Cart versions 5.1.6 through 5.1.10 are vulnerable to cross-site scripting (XSS), and versions 5.1.10 and below are vulnerable to authorization bypass.
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2015-0950
X-Cart versions 5.1.6 through 5.1.10 contain a reflected cross-site scripting (XSS) vulnerability. An attacker can inject arbitrary script via the query string parameter substring in admin.php.
A remote, unauthenticated attacker may be able to execute arbitrary script in the context of the end-user's browser session. A remote, authenticated attacker may be able to obtain or remove data associated with other users' accounts.
Apply an update
Thanks to Yasser Ali for reporting this vulnerability.