EPSS
Percentile
59.5%
CS-Cart before 3.0.6, when PayPal Standard Payments is configured, allows remote attackers to set the payment recipient via a modified value of the merchant’s e-mail address, as demonstrated by setting the recipient to one’s self.
www.kb.cert.org/vuls/id/583564
www.kb.cert.org/vuls/id/BLUU-949PQL