Lucene search

PRIOn knowledge basePRION:CVE-2009-3904

HistoryNov 06, 2009 - 3:30 p.m.

Design/Logic Flaw

2009-11-0615:30:00

PRIOn knowledge base

www.prio-n.com

7.1 High

AI Score

Confidence

Low

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.068 Low

EPSS

Percentile

93.7%

JSON

classes/session/cc_admin_session.php in CubeCart 4.3.4 does not properly restrict administrative access permissions, which allows remote attackers to bypass restrictions and gain administrative access via a HTTP request that contains an empty (1) sessID (ccAdmin cookie), (2) X_CLUSTER_CLIENT_IP header, or (3) User-Agent header.

CPENameOperatorVersion
cubecarteq4.3.4

CPE	Name	Operator	Version
	cubecart	eq	4.3.4

References

forums.cubecart.com/index.php?showtopic=39691?read=1

forums.cubecart.com/index.php?showtopic=39748

secunia.com/advisories/37197

www.securityfocus.com/archive/1/507594/100/0/threaded

www.securityfocus.com/bid/36882

www.securitytracker.com/id?1023120

www.vupen.com/english/advisories/2009/3113

exchange.xforce.ibmcloud.com/vulnerabilities/54062

www.acunetix.com/blog/websecuritynews/cubecart-4-session-management-bypass-leads-to-administrator-access/

7.1 High

AI Score

Confidence

Low

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.068 Low

EPSS

Percentile

93.7%

JSON

Related for PRION:CVE-2009-3904