Abrookbanks

**Name of the Vulnerable Software and Affected Versions** CubeCart versions prior to 6.5.5 **Description** The issue allows an authenticated user to execute arbitrary code via a crafted .phar file. This is a result of a File Upload vulnerability. **Recommendations** For versions prior to 6.5.5, update to version 6.5.5 or later to resolve the issue. As a temporary workaround, consider restricting file upload capabilities to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Cubecart version 6.4.2 **Description** The issue allows for Session Fixation, where the application fails to generate a new session cookie after a user logs in. This enables a malicious user to create and inject a new session cookie value into a victim's session. Once the victim logs in, the injected cookie becomes valid, granting the attacker access to the user's account through the active session. **Recommendations** For Cubecart version 6.4.2, consider implementing a mechanism to regenerate a new session cookie after a user logs in to prevent session fixation attacks. As a temporary workaround, restrict access to sensitive user account information until a proper fix is applied.