The Cubecart::_basket method in classes/cubecart.class.php in CubeCart 5.0.0 through 5.2.0 allows remote attackers to unserialize arbitrary PHP objects via a crafted shipping parameter, as demonstrated by modifying the application configuration using the Config object.
References
Link | Resource |
---|---|
http://archives.neohapsis.com/archives/bugtraq/2013-02/0032.html | Broken Link |
http://forums.cubecart.com/?showtopic=47026 | Patch |
http://karmainsecurity.com/KIS-2013-02 | Exploit |
http://osvdb.org/89923 | Broken Link |
http://packetstormsecurity.com/files/120094/CubeCart-5.2.0-PHP-Object-Injection.html | Exploit Third Party Advisory VDB Entry |
http://secunia.com/advisories/52072 | Not Applicable |
http://www.exploit-db.com/exploits/24465 | Exploit Third Party Advisory VDB Entry |
http://www.securityfocus.com/bid/57770 | Broken Link |
https://exchange.xforce.ibmcloud.com/vulnerabilities/81920 | Third Party Advisory VDB Entry |
Configurations
History
09 Jan 2024, 02:21
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-502 | |
CVSS |
v2 : v3 : |
v2 : 7.5
v3 : 9.8 |
References | (BUGTRAQ) http://archives.neohapsis.com/archives/bugtraq/2013-02/0032.html - Broken Link | |
References | (XF) https://exchange.xforce.ibmcloud.com/vulnerabilities/81920 - Third Party Advisory, VDB Entry | |
References | (MISC) http://packetstormsecurity.com/files/120094/CubeCart-5.2.0-PHP-Object-Injection.html - Exploit, Third Party Advisory, VDB Entry | |
References | (BID) http://www.securityfocus.com/bid/57770 - Broken Link | |
References | (SECUNIA) http://secunia.com/advisories/52072 - Not Applicable | |
References | (OSVDB) http://osvdb.org/89923 - Broken Link | |
References | (EXPLOIT-DB) http://www.exploit-db.com/exploits/24465 - Exploit, Third Party Advisory, VDB Entry | |
CPE | cpe:2.3:a:cubecart:cubecart:5.0.1:*:*:*:*:*:*:* cpe:2.3:a:cubecart:cubecart:5.0.5:*:*:*:*:*:*:* cpe:2.3:a:cubecart:cubecart:5.0.7:*:*:*:*:*:*:* cpe:2.3:a:cubecart:cubecart:5.0.2:*:*:*:*:*:*:* cpe:2.3:a:cubecart:cubecart:5.0.3:*:*:*:*:*:*:* cpe:2.3:a:cubecart:cubecart:5.1.4:*:*:*:*:*:*:* cpe:2.3:a:cubecart:cubecart:5.0.8:*:*:*:*:*:*:* cpe:2.3:a:cubecart:cubecart:5.1.1:*:*:*:*:*:*:* cpe:2.3:a:cubecart:cubecart:5.2.0:*:*:*:*:*:*:* cpe:2.3:a:cubecart:cubecart:5.1.3:*:*:*:*:*:*:* cpe:2.3:a:cubecart:cubecart:5.1.0:*:*:*:*:*:*:* cpe:2.3:a:cubecart:cubecart:5.1.5:*:*:*:*:*:*:* cpe:2.3:a:cubecart:cubecart:5.0.0:*:*:*:*:*:*:* cpe:2.3:a:cubecart:cubecart:5.1.2:*:*:*:*:*:*:* cpe:2.3:a:cubecart:cubecart:5.0.4:*:*:*:*:*:*:* cpe:2.3:a:cubecart:cubecart:5.0.9:*:*:*:*:*:*:* |
cpe:2.3:a:cubecart:cubecart:*:*:*:*:*:*:*:* |
Information
Published : 2013-02-08 20:55
Updated : 2024-02-28 12:00
NVD link : CVE-2013-1465
Mitre link : CVE-2013-1465
CVE.ORG link : CVE-2013-1465
JSON object : View
Products Affected
cubecart
- cubecart
CWE
CWE-502
Deserialization of Untrusted Data