CVE-2012-6691

Name of the Vulnerable Software and Affected Versions osCMax versions prior to 2.5.1

Description The issue concerns multiple cross-site request forgery (CSRF) vulnerabilities in the admin panel. These vulnerabilities allow remote attackers to hijack the authentication of administrators for requests, potentially leading to SQL injection attacks. Specifically, the vulnerabilities are exploited via the status parameter to "admin/stats monthly sales.php" or the country parameter in a process action to "admin/create account process.php".

Recommendations For osCMax versions prior to 2.5.1, update to version 2.5.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the admin panel and limiting the use of the vulnerable parameters status and country in the specified API endpoints until the update is applied.