CVE-2020-9009

Name of the Vulnerable Software and Affected Versions ShipStation.com plugin versions 1.1 and earlier for CS-Cart

Description The issue allows remote attackers to insert arbitrary information into the database via the "action=shipnotify" endpoint because access to this endpoint is completely unchecked. The attacker must guess an order number.

Recommendations For ShipStation.com plugin versions 1.1 and earlier, consider disabling access to the "action=shipnotify" endpoint until a patch is available to prevent arbitrary information insertion into the database. At the moment, there is no information about a newer version that contains a fix for this vulnerability.