Luis Santana

**Name of the Vulnerable Software and Affected Versions** CS-Cart version 4.2.4 **Description** A cross-site request forgery (CSRF) issue allows remote attackers to hijack user authentication for requests that change a user's password via a request to "profiles-update/". **Recommendations** For version 4.2.4, consider disabling the password change functionality until a patch is available to prevent exploitation of this issue. Restrict access to the "profiles-update/" endpoint to minimize the risk of CSRF attacks.

**Name of the Vulnerable Software and Affected Versions** Limny version 2.0 **Description** The issue allows remote attackers to hijack user or administrator authentication for specific requests. This can be done in two ways: (1) by changing the email address or password via the `index.php` endpoint, and (2) by creating a new user via the `admin/modules/user/new` action to `limny/index.php`. **Recommendations** For Limny version 2.0, as a temporary workaround, consider restricting access to the `index.php` and `limny/index.php` endpoints to minimize the risk of exploitation. Additionally, restrict the `admin/modules/user/new` action to authorized administrators only until a patch is available.