Disk0Nn3Ct

**Name of the Vulnerable Software and Affected Versions** Zen Cart version 1.3.9h **Description** The issue allows remote attackers to hijack the authentication of administrators for requests. This can be done through multiple cross-site request forgery (CSRF) vulnerabilities. Specifically, the vulnerabilities enable attackers to make requests that delete a product via a `delete product confirm` action to "product.php" or disable a product via a `setflag` action to "categories.php". **Recommendations** For Zen Cart version 1.3.9h, consider disabling the `delete product confirm` action to "product.php" and the `setflag` action to "categories.php" as a temporary workaround until a patch is available. Restrict access to the "product.php" and "categories.php" files to minimize the risk of exploitation. Avoid using the `delete product confirm` and `setflag` actions in the affected API endpoints until the issue is resolved.