Jer

**Name of the Vulnerable Software and Affected Versions** ShipStation.com plugin versions 1.1 and earlier for CS-Cart **Description** The issue allows remote attackers to insert arbitrary information into the database via the "action=shipnotify" endpoint because access to this endpoint is completely unchecked. The attacker must guess an order number. **Recommendations** For ShipStation.com plugin versions 1.1 and earlier, consider disabling access to the "action=shipnotify" endpoint until a patch is available to prevent arbitrary information insertion into the database. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ShipStation.com plugin version 1.0 for CS-Cart **Description** The issue allows remote attackers to obtain sensitive information due to a typo that results in a successful comparison of a blank password and NULL. This can be achieved via the `action=export` endpoint. **Recommendations** For ShipStation.com plugin version 1.0, consider restricting access to the `action=export` endpoint until a fix is available. Additionally, review password comparison logic to prevent similar issues in the future. At the moment, there is no information about a newer version that contains a fix for this vulnerability.