A security directory traversal vulnerability has been discovered in all version of CubeCart version 6. CubeCart version 6.1.4 has been release which patches this.
We recommend that all merchants upgrade to 6.1.4 or patch their store as soon as possible.
Manual Patch: https://github.com/cubecart/v6/commit/8f1ec4e87c58e60e7fd865eabc6a1ab2b721729c
We would like to pass on our warm thanks to all the staff at Japan Computer Emergency Response Team (JPCERT) Coordination Center for discovering this issue and for handling it so professionally.