CVE-2011-5011

CVSS v2.0

6.8

Medium

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions xt:Commerce versions 3.0.4 SP2.1 and earlier

Description The issue allows remote attackers to hijack the authentication of admins for specific requests. This can be achieved through cross-site request forgery (CSRF) vulnerabilities. The vulnerabilities are exploited by manipulating the cID parameter in two scenarios:

Setting a new user to admin via the statusconfirm action in admin/customers.php.
Granting permissions to users via the save action in admin/accounting.php.

Recommendations For xt:Commerce versions 3.0.4 SP2.1 and earlier, consider disabling the statusconfirm and save actions in admin/customers.php and admin/accounting.php respectively until a patch is available. Restrict access to these modules to minimize the risk of exploitation. Avoid using the cID parameter in the affected API endpoints until the issue is resolved.

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352

Related Identifiers

CVE-2011-5011

Affected Products

Xt:Commerce

CVE-2011-5011

Weakness Enumeration

Related Identifiers

Affected Products

References · 7