CVE-2011-4403

Name of the Vulnerable Software and Affected Versions Zen Cart version 1.3.9h

Description The issue allows remote attackers to hijack the authentication of administrators for requests. This can be done through multiple cross-site request forgery (CSRF) vulnerabilities. Specifically, the vulnerabilities enable attackers to make requests that delete a product via a delete product confirm action to "product.php" or disable a product via a setflag action to "categories.php".

Recommendations For Zen Cart version 1.3.9h, consider disabling the delete product confirm action to "product.php" and the setflag action to "categories.php" as a temporary workaround until a patch is available. Restrict access to the "product.php" and "categories.php" files to minimize the risk of exploitation. Avoid using the delete product confirm and setflag actions in the affected API endpoints until the issue is resolved.