QwikSec

Security Database

CVE

CWE

Training

CVE-2011-5011

Published: Dec 25, 2011

Modified: Aug 7, 2024

PUBLISHED

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in xt:Commerce 3.0.4 SP2.1 and possibly earlier allow remote attackers to hijack the authentication of Admins for requests that (1) set a New user to Admin via the cID parameter to a statusconfirm action in admin/customers.php and (2) grant permissions to users via the cID parameter to a save action in admin/accounting.php.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

http://dishix.blogspot.com/p/xtcommerce-v304-sp21-cross-site-request_29.html

x_refsource_MISC

vdb-entry

x_refsource_OSVDB

xtcommerce-customers-accounting-csrf(71642)

vdb-entry

x_refsource_XF

third-party-advisory

x_refsource_SECUNIA

http://dishix.blogspot.com/2011/11/exploiting-xtcommerce-v304-sp21-cross.html

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.