CVE-2013-1465 : The Cubecart::_basket method in classes/cubecart.class.php in CubeCart 5.0.0 thr

The Cubecart::_basket method in classes/cubecart.class.php in CubeCart 5.0.0 through 5.2.0 allows remote attackers to unserialize arbitrary PHP objects via a crafted shipping parameter, as demonstrated by modifying the application configuration using the Config object.

Published 2013-02-08 20:55:02

Updated 2025-04-11 00:51:22

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2013-1465

Cubecart » Cubecart
Versions from including (>=) 5.0.0 and up to, including, (<=) 5.2.0
cpe:2.3:a:cubecart:cubecart:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2013-1465

EPSS FAQ

31.01%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 96 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2013-1465

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P	10.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST	2024-01-09
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2013-1465

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: nvd@nist.gov (Primary)
CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2013-1465

http://www.exploit-db.com/exploits/24465

CubeCart 5.2.0 - 'cubecart.class.php' PHP Object Injection - PHP webapps Exploit
Exploit;Third Party Advisory;VDB Entry
http://osvdb.org/89923

Broken Link
http://forums.cubecart.com/?showtopic=47026

CubeCart 5.2.1 Released - News & Announcements - CubeCart Forums
Patch
http://secunia.com/advisories/52072

Sign in
Not Applicable
http://packetstormsecurity.com/files/120094/CubeCart-5.2.0-PHP-Object-Injection.html

CubeCart 5.2.0 PHP Object Injection ≈ Packet Storm
Exploit;Third Party Advisory;VDB Entry
http://archives.neohapsis.com/archives/bugtraq/2013-02/0032.html

Broken Link
http://www.securityfocus.com/bid/57770

CubeCart PHP 'shipping' Parameter PHP Object Injection Vulnerability
Broken Link
https://exchange.xforce.ibmcloud.com/vulnerabilities/81920

CubeCart shipping unauthorized access CVE-2013-1465 Vulnerability Report
Third Party Advisory;VDB Entry
http://karmainsecurity.com/KIS-2013-02

CubeCart <= 5.2.0 (cubecart.class.php) PHP Object Injection Vulnerability | Karma(In)Security
Exploit

Jump to

Vulnerability Details : CVE-2013-1465

Products affected by CVE-2013-1465

Exploit prediction scoring system (EPSS) score for CVE-2013-1465

CVSS scores for CVE-2013-1465

CWE ids for CVE-2013-1465

References for CVE-2013-1465