Back to search
CVE-2009-3904
Published: Nov 6, 2009
Modified: Aug 7, 2024
PUBLISHED
Description
classes/session/cc_admin_session.php in CubeCart 4.3.4 does not properly restrict administrative access permissions, which allows remote attackers to bypass restrictions and gain administrative access via a HTTP request that contains an empty (1) sessID (ccAdmin cookie), (2) X_CLUSTER_CLIENT_IP header, or (3) User-Agent header.
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
References
cubecart-session-security-bypass(54062)
vdb-entry
x_refsource_XF
1023120
vdb-entry
x_refsource_SECTRACK
ADV-2009-3113
vdb-entry
x_refsource_VUPEN
20091030 CubeCart 4 Session Management Bypass
mailing-list
x_refsource_BUGTRAQ
http://forums.cubecart.com/index.php?showtopic=39691?read=1
x_refsource_CONFIRM
http://forums.cubecart.com/index.php?showtopic=39748
x_refsource_CONFIRM
37197
third-party-advisory
x_refsource_SECUNIA
36882
vdb-entry
x_refsource_BID
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now