CVE-2011-4403

2015-04-24T14:59:00
ID CVE-2011-4403
Type cve
Reporter cve@mitre.org
Modified 2015-04-27T14:28:00

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in Zen Cart 1.3.9h allow remote attackers to hijack the authentication of administrators for requests that (1) delete a product via a delete_product_confirm action to product.php or (2) disable a product via a setflag action to categories.php. Per the <a href="http://seclists.org/fulldisclosure/2012/Feb/171">advisory</a>: "By submitting this form from any location an attacker can cause the administrator to delete / disable products from his store." Only integrity and availability are affected.