The cubecart team today quoted in their forums about a possible SQl injection possible in Cubecart versions 4.4 and lower. The vulnerability was found by the Core Security Team. The exact details can be found here.

The Cubecart Team has however, been very responsive top post a solution to this problem within in a few hours. The team had the following reply on the vulnerability alert ( Original Source: here )

”
CORE Security Advisories Team have found an SQL injection vulnerability in all current versions of CubeCart 4. The issue concerns a possible SQL injection vulnerability on the shipping method selection drop down box during the checkout process.

This will be patched in CubeCart 4.4.0 which will be released later today. Two fix methods are available below to patch any CubeCart v4 store for those who do not wish to upgrade to 4.4.0. ”

2 Solutions have been posted here:
A. File replace with the upgraded file.
B. Code Fix.
Solution A seems to the most simple one. However, just in case you have some mods done to the cart, you might want to go for solution B. Solution B works just fine in case you have other custom modifications done to the cart. If you have modified the code of the cart in anyway, you could simply apply the same fix ( as applicable ).

Feel free to contact us if you need any help with the fix. To avail the code check for free, mail us here.