Vulnerability Description
Multiple cross-site request forgery (CSRF) vulnerabilities in xt:Commerce 3.0.4 SP2.1 and possibly earlier allow remote attackers to hijack the authentication of Admins for requests that (1) set a New user to Admin via the cID parameter to a statusconfirm action in admin/customers.php and (2) grant permissions to users via the cID parameter to a save action in admin/accounting.php.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Xt-Commerce | Xt-Commerce | 3.0.4 |
Related Weaknesses (CWE)
References
- http://dishix.blogspot.com/2011/11/exploiting-xtcommerce-v304-sp21-cross.htmlThird Party Advisory
- http://dishix.blogspot.com/p/xtcommerce-v304-sp21-cross-site-request_29.htmlThird Party Advisory
- http://osvdb.org/77498Broken Link
- http://secunia.com/advisories/47032Vendor Advisory
- https://exchange.xforce.ibmcloud.com/vulnerabilities/71642VDB Entry
- http://dishix.blogspot.com/2011/11/exploiting-xtcommerce-v304-sp21-cross.htmlThird Party Advisory
- http://dishix.blogspot.com/p/xtcommerce-v304-sp21-cross-site-request_29.htmlThird Party Advisory
- http://osvdb.org/77498Broken Link
- http://secunia.com/advisories/47032Vendor Advisory
- https://exchange.xforce.ibmcloud.com/vulnerabilities/71642VDB Entry
FAQ
What is CVE-2011-5011?
CVE-2011-5011 is a vulnerability with a CVSS score of 6.8 (MEDIUM). Multiple cross-site request forgery (CSRF) vulnerabilities in xt:Commerce 3.0.4 SP2.1 and possibly earlier allow remote attackers to hijack the authentication of Admins for requests that (1) set a New...
How severe is CVE-2011-5011?
CVE-2011-5011 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2011-5011?
Check the references section above for vendor advisories and patch information. Affected products include: Xt-Commerce Xt-Commerce.