Improper Authentication in CubeCart
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Improper Authentication
EUVDB-ID: #VU41777
Risk: Medium
CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2014-2341
CWE-ID:
CWE-287 - Improper Authentication
Exploit availability: Yes
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Session fixation vulnerability in CubeCart before 5.2.9 allows remote attackers to hijack web sessions via the PHPSESSID parameter.
MitigationInstall update from vendor's website.
Vulnerable software versionsCubeCart: 5.2.0 - 5.2.7
CPE2.3- cpe:2.3:a:cubecart:cubecart:5.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:cubecart:cubecart:5.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:cubecart:cubecart:5.2.2:*:*:*:*:*:*:*
https://forums.cubecart.com/topic/48427-cubecart-529-relased/
https://secunia.com/advisories/57856
https://www.exploit-db.com/exploits/32830
https://www.osvdb.org/105784
https://www.securityfocus.com/bid/66805
https://www.securitytracker.com/id/1030086
https://exchange.xforce.ibmcloud.com/vulnerabilities/92526
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
