Xinanzai

**Name of the Vulnerable Software and Affected Versions** hitshop versions prior to 2014-07-15 **Description** An issue was discovered that allows for elevation-of-privilege, enabling control over the whole website. This is achieved via the "admin.php/user/add" URI, where a storekeeper account, intended for commodity management only, can add an administrator account. **Recommendations** For versions prior to 2014-07-15, consider restricting access to the "admin.php/user/add" URI to prevent unauthorized addition of administrator accounts. As a temporary workaround, limit the privileges of storekeeper accounts to prevent them from adding administrator accounts until a fix is available.