ZipCart module before version 6.x-1.4 contained a potential access bypass issue.

From the Drupal advisory, SA-CONTRIB-2012-026

ZipCart enables a site to provide users with Zip archives for downloads selected by the user.

Versions of ZipCart prior to 6.x-1.4 checks an incorrect permission when building archives. This vulnerability is mitigated by the fact that archive file addition is only permitted if Drupal’s normal file download access check permits the user to download the file directly.