CVE-2011-0503

Name of the Vulnerable Software and Affected Versions VaM Shop versions 1.6 through 1.6.1 VaM Shop versions prior to 1.6

Description A cross-site request forgery issue allows remote attackers to hijack the authentication of administrators for requests. This can lead to changes in user status via "admin/customers.php" or changes in user permissions via "admin/accounting.php".

Recommendations For VaM Shop versions 1.6 through 1.6.1, restrict access to the admin/customers.php and admin/accounting.php endpoints to minimize the risk of exploitation. For VaM Shop versions prior to 1.6, consider disabling the admin/customers.php and admin/accounting.php endpoints until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.