Advisories for Composer/Zencart/Zencart package

Zen Cart d allows reflected XSS via the main_page parameter to includes/templates/template_default/common/tpl_main_page.php or includes/templates/responsive_classic/common/tpl_main_page.php.

Zen Cart b allows admins to execute arbitrary OS commands by inspecting an HTML radio input element (within the modules edit page) and inserting a command.

The traverseStrictSanitize function in admin_dir/includes/classes/AdminRequestSanitizer mishandles key strings, which allows remote authenticated users to execute arbitrary PHP code.

An XSS can be exploited through index.php in Zen by means of the products_id parameter.

Zen Cart has an XSS in the main_page parameter to `index.php.