Lucene search

[email protected]CVE-2009-3904

HistoryNov 06, 2009 - 3:30 p.m.

CVE-2009-3904

2009-11-0615:30:00

CWE-264

[email protected]

web.nvd.nist.gov

cubecart

security

restriction bypass

cve-2009-3904

nvd

7 High

AI Score

Confidence

Low

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.068 Low

EPSS

Percentile

93.8%

JSON

classes/session/cc_admin_session.php in CubeCart 4.3.4 does not properly restrict administrative access permissions, which allows remote attackers to bypass restrictions and gain administrative access via a HTTP request that contains an empty (1) sessID (ccAdmin cookie), (2) X_CLUSTER_CLIENT_IP header, or (3) User-Agent header.

CPENameOperatorVersion
cubecart:cubecartcubecarteq4.3.4

CPE	Name	Operator	Version
cubecart:cubecart	cubecart	eq	4.3.4

References

forums.cubecart.com/index.php?showtopic=39691?read=1

forums.cubecart.com/index.php?showtopic=39748

secunia.com/advisories/37197

www.acunetix.com/blog/websecuritynews/cubecart-4-session-management-bypass-leads-to-administrator-access/

www.securityfocus.com/archive/1/507594/100/0/threaded

www.securityfocus.com/bid/36882

www.securitytracker.com/id?1023120

www.vupen.com/english/advisories/2009/3113

exchange.xforce.ibmcloud.com/vulnerabilities/54062

7 High

AI Score

Confidence

Low

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.068 Low

EPSS

Percentile

93.8%

JSON

Related for CVE-2009-3904

nessus2 prion1 openvas1 debian1