The document describes multiple vulnerabilities in Zen Cart v1.3.9f, including a post-auth SQL injection in 'option_name_manager.php' via the 'option_order_by' parameter and persistent XSS in admin panel fields. It provides technical details, vendor communication timeline, and PoC steps but lacks functional exploit code.
Classification
Writeup 90%
Attack Type
Sqli | Xss
Complexity
Trivial
Reliability
Reliable
Target:Zen Cart v1.3.9f
Auth required
Prerequisites:Admin access to Zen Cart · Network access to the target