PT-2014-6233 · Shopizer · Shopizer

Johannes Dahse

Published

2014-07-15

Updated

2018-10-09

CVE-2014-4963

CVSS v2.0

6.8

Medium

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions Shopizer versions 1.1.5 and earlier

Description The issue allows remote attackers to modify the account settings of arbitrary users. This is achieved via the customer.customerId parameter to the "shop/profile/register.action" endpoint.

Recommendations For Shopizer versions 1.1.5 and earlier, avoid using the customer.customerId parameter in the "shop/profile/register.action" endpoint until the issue is resolved. As a temporary workaround, consider restricting access to the "shop/profile/register.action" endpoint to minimize the risk of exploitation.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2014-4963

Affected Products

Shopizer

PT-2014-6233 · Shopizer · Shopizer

CVE-2014-4963

Related Identifiers

Affected Products

References · 4