Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2013-1465

Overview

Vulnerability Score 7.5 7.5
CVE Id CVE-2013-1465
Last Modified 26 Mar 2013 12:00:00
Published 08 Feb 2013 03:55:01
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2013-1465

Summary

The Cubecart::_basket method in classes/cubecart.class.php in CubeCart 5.0.0 through 5.2.0 allows remote attackers to unserialize arbitrary PHP objects via a crafted shipping parameter, as demonstrated by modifying the application configuration using the Config object.

Vulnerable Systems

Application

  • Cubecart 5.0.0

  • Cubecart 5.0.1

  • Cubecart 5.0.2

  • Cubecart 5.0.3

  • Cubecart 5.0.4

  • Cubecart 5.0.5

  • Cubecart 5.0.6

  • Cubecart 5.0.7

  • Cubecart 5.0.8

  • Cubecart 5.0.9

  • Cubecart 5.1.0

  • Cubecart 5.1.1

  • Cubecart 5.1.2

  • Cubecart 5.1.3

  • Cubecart 5.1.4

  • Cubecart 5.1.5

  • Cubecart 5.2.0


References

XF - cubecart-shipping-unauth-access(81920)

BID - 57770

EXPLOIT-DB - 24465

SECUNIA - 52072

MISC - http://packetstormsecurity.com/files/120094/CubeCart-5.2.0-PHP-Object-Injection.html

OSVDB - 89923

MISC - http://karmainsecurity.com/KIS-2013-02

CONFIRM - http://forums.cubecart.com/?showtopic=47026

BUGTRAQ - 20130206 [KIS-2013-02] CubeCart <= 5.2.0 (cubecart.class.php) PHP Object Injection Vulnerability


Last Updated: 27 May 2016 10:51:51