Vulnerability Details : CVE-2009-3904
classes/session/cc_admin_session.php in CubeCart 4.3.4 does not properly restrict administrative access permissions, which allows remote attackers to bypass restrictions and gain administrative access via a HTTP request that contains an empty (1) sessID (ccAdmin cookie), (2) X_CLUSTER_CLIENT_IP header, or (3) User-Agent header.
Products affected by CVE-2009-3904
- cpe:2.3:a:cubecart:cubecart:4.3.4:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2009-3904
6.81%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 93 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2009-3904
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
CWE ids for CVE-2009-3904
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2009-3904
-
http://forums.cubecart.com/index.php?showtopic=39691?read=1
-
http://www.securityfocus.com/archive/1/507594/100/0/threaded
-
http://forums.cubecart.com/index.php?showtopic=39748
Patch
-
http://www.securitytracker.com/id?1023120
Exploit
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/54062
-
http://www.acunetix.com/blog/websecuritynews/cubecart-4-session-management-bypass-leads-to-administrator-access/
Exploit
-
http://www.securityfocus.com/bid/36882
Exploit
-
http://www.vupen.com/english/advisories/2009/3113
Patch;Vendor Advisory
Jump to