Published: 30/04/2020 Updated: 29/04/2024

CVSS v2 Base Score: 4 | Impact Score: 2.9 | Exploitability Score: 8

CVSS v3 Base Score: 4.3 | Impact Score: 1.4 | Exploitability Score: 2.8

VMScore: 356

Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N

The address-management feature in xt:Commerce 5.1 to 6.2.2 allows remote authenticated users to zero out other user's stored addresses by manipulating an id field in the POST request for altering an address.

Vulnerable Product	Search on Vulmon	Subscribe to Product
xt-commerce xt-commerce

xt:Commerce version 541, 621, and 622 suffer from an improper access control vulnerability A logged-in customer can create and alter addresses These addresses are referenced by incrementing IDs On saving an address, an attacker could change the ID of the address to write the data to If the ID belongs to an address which does not belong to ...

Full Disclosure mailing list archives   By Date By Thread </form>    [SYSS-2020-012] Improper Access Control (CWE-284) in xt:Commerce (CVE-2020-12101)  <!--X-He ...

CWE-276 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-012.txt https://helpdesk.xt-commerce.com/index.php?/Knowledgebase/Article/View/1784/294/adressbuch-sicherheitspatch-17042020-fr-xtcommerce-51-bis-622 http://seclists.org/fulldisclosure/2020/May/0 http://packetstormsecurity.com/files/157534/xt-Commerce-5.4.1-6.2.1-6.2.2-Improper-Access-Control.html https://nvd.nist.gov https://packetstormsecurity.com/files/157534/xt-Commerce-5.4.1-6.2.1-6.2.2-Improper-Access-Control.html

CVE-2020-12101

Vulnerability Summary

Vulnerability Trend

Exploits

Mailing Lists

References

Vulmon Search

About

Products

Connect