An issue discovered in CS-Cart MultiVendor 4.16.1 allows attackers to alter arbitrary user account profiles via crafted post request.
An attacker sends a crafted POST request to the application interface, which allows changing data of any user account. The vulnerability results from insufficient authorization (CWE-286) — the system does not properly verify whether the requester has permissions to modify the specified profile. According to the references, the vulnerability is related to insufficient authorization when creating API keys in CS-Cart MultiVendor.
An attacker can take control of any user account by modifying their profile data, which can lead to complete breach of confidentiality, integrity and availability of data in the system.
Apply patches available from the manufacturer according to the references. It is also recommended to restrict access to the API interface at the firewall level and monitor unexpected POST requests modifying user profiles.
CS-Cart MultiVendor version 4.16.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HCs Cart Multivendor
APPCs-Cart4.16.1
Related vulnerabilities
Niebezpieczne przesyłanie plików w CS-Cart MultiVendor umożliwia RCE
Directory Traversal vulnerability in CS-Cart MultiVendor 4.16.1 allows remote attackers to obtain sensitive in...
File Upload vulnerability in CS-Cart MultiVendor 4.16.1 allows remote attackers to run arbitrary code via File...
Directory Traversal vulnerability in CS-Cart MultiVendor 4.16.1 allows remote attackers to run arbitrary code ...
Cross-site request forgery (CSRF) vulnerability in CS-Cart Japanese Edition v4.3.10 and earlier (excluding v2 ...