Vulnerability CVE-2011-5011
Published: 2011-12-24   Modified: 2012-02-13

Description:
Multiple cross-site request forgery (CSRF) vulnerabilities in xt:Commerce 3.0.4 SP2.1 and possibly earlier allow remote attackers to hijack the authentication of Admins for requests that (1) set a New user to Admin via the cID parameter to a statusconfirm action in admin/customers.php and (2) grant permissions to users via the cID parameter to a save action in admin/accounting.php.

Type:

CWE-352

 (Cross-Site Request Forgery (CSRF))

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.8/10
6.4/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Xt-commerce -> XT 

 References:
http://xforce.iss.net/xforce/xfdb/71642
http://secunia.com/advisories/47032
http://osvdb.org/77498
http://dishix.blogspot.com/p/xtcommerce-v304-sp21-cross-site-request_29.html
http://dishix.blogspot.com/2011/11/exploiting-xtcommerce-v304-sp21-cross.html
Copyright 2024, cxsecurity.com

 

Back to Top