CVE-2018-19853

Name of the Vulnerable Software and Affected Versions hitshop versions prior to 2014-07-15

Description An issue was discovered that allows for elevation-of-privilege, enabling control over the whole website. This is achieved via the "admin.php/user/add" URI, where a storekeeper account, intended for commodity management only, can add an administrator account.

Recommendations For versions prior to 2014-07-15, consider restricting access to the "admin.php/user/add" URI to prevent unauthorized addition of administrator accounts. As a temporary workaround, limit the privileges of storekeeper accounts to prevent them from adding administrator accounts until a fix is available.