Authorization bypass through User-Controlled key vulnerability in Akilli Commerce Software Technologies Ltd. Co. E-Commerce Website allows Session Hijacking. This issue affects E-Commerce Website: before 4.5.001.
The vulnerability (CWE-639) consists of the application using user-controlled keys or identifiers (e.g., parameters in URLs or cookies) to identify sessions or resources without properly verifying whether the requester is actually authorized to access the given resource. An attacker can manipulate these values to impersonate another user and hijack their session (Session Hijacking). The attack requires no authentication, victim interaction, or special network conditions — it is possible remotely over a public network.
An attacker can fully take over the session of any user, including administrator accounts, gaining unauthorized access to personal data, order history, payment data, and store management functions. Depending on the privileges of the compromised account, data manipulation or complete takeover of the e-commerce platform is possible.
The E-Commerce Website software must be immediately updated to version 4.5.001 or later. Detailed information is available in the security advisory at: https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0222
E-Commerce Website software by Akilli Commerce Software Technologies Ltd. Co. in all versions prior to 4.5.001.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H