X-Cart versions 5.1.6 through 5.1.10 are vulnerable to cross-site scripting (XSS), and versions 5.1.10 and below are vulnerable to authorization bypass.
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2015-0950
X-Cart versions 5.1.6 through 5.1.10 contain a reflected cross-site scripting (XSS) vulnerability. An attacker can inject arbitrary script via the query string parameter substring in admin.php.
A remote, unauthenticated attacker may be able to execute arbitrary script in the context of the end-user's browser session. A remote, authenticated attacker may be able to obtain or remove data associated with other users' accounts.
Apply an update
Thanks to Yasser Ali for reporting this vulnerability.
This document was written by Joel Land.