X-Cart contains a flaw that may lead to an unauthorized information disclosure. The problem is that the "general.php" script does not validate user-supplied input to the "mode" variable. With a specially crafted URL request a remote attacker could reveal the installation path resulting in a loss of confidentiality.
Remote / Network Access
Loss of Confidentiality
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.