CVE-2009-3904

Name of the Vulnerable Software and Affected Versions CubeCart version 4.3.4

Description The issue allows remote attackers to bypass administrative access restrictions and gain administrative access. This can be achieved via a HTTP request that contains an empty sessID (ccAdmin cookie), X CLUSTER CLIENT IP header, or User-Agent header.

Recommendations For CubeCart version 4.3.4, update the classes/session/cc admin session.php file to properly restrict administrative access permissions, ensuring that empty or missing headers and cookies do not allow unauthorized access. As a temporary workaround, consider restricting access to administrative functions until a patch is available.