CVE-2000-0253
published 2000-04-11CVE-2000-0253: The dansie shopping cart application cart.pl allows remote attackers to modify sensitive purchase information via hidden form fields.
PriorityP424critical10CVSS 2.0
AVNACLAuNCCICAC
EPSS
2.54%
83.0th percentile
The dansie shopping cart application cart.pl allows remote attackers to modify sensitive purchase information via hidden form fields.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| craig_dansie | dansie_shopping_cart | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
CWE
External Control of Critical State Data
mitre_cwe
CWE-642 External Control of Critical State Data
CWE-642: External Control of Critical State Data
The product stores security-critical state information about its users, or the product itself, in a location that is accessible to unauthorized actors.
If an attacker can modify the state information without detection, then it could be used to perform unauthorized actions or access unexpected resources, since the application programmer does not expect that the state can be changed. State information can be stored in various locations such as a cookie, in a hidden web form field, input parameter or argument, an environment variable, a database record, within a settings file, etc. All of these locations have the potential to be modified by an attacker. When this state information is used to control security or determine resource usage, then
CWE
External Control of Assumed-Immutable Web Parameter
mitre_cwe
CWE-472 External Control of Assumed-Immutable Web Parameter
CWE-472: External Control of Assumed-Immutable Web Parameter
The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.
If a web product does not properly protect assumed-immutable values from modification in hidden form fields, parameters, cookies, or URLs, this can lead to modification of critical data. Web applications often mistakenly make the assumption that data passed to the client in hidden fields or cookies is not susceptible to tampering. Improper validation of data that are user-controllable can lead to the application processing incorrect, and often malicious, input. For example, custom cookies commonly store session data or persistent data across sessions. This kind of session
2000-04-11
Published