CVE-2009-4120
published 2009-12-01CVE-2009-4120: Multiple cross-site request forgery (CSRF) vulnerabilities in Quick.Cart 3.4 allow remote attackers to hijack the authentication of the administrator for…
PriorityP428medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
1.00%
58.4th percentile
Multiple cross-site request forgery (CSRF) vulnerabilities in Quick.Cart 3.4 allow remote attackers to hijack the authentication of the administrator for requests that (1) delete orders via an orders-delete action to admin.php, and possibly (2) delete products or (3) delete pages via unspecified vectors.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| opensolution | quick.cart | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Quick.Cart 3.4 / Quick.CMS 2.4 - Delete Function Cross-Site Request Forgery
exploitdb·2009-11-24
CVE-2009-4120 Quick.Cart 3.4 / Quick.CMS 2.4 - Delete Function Cross-Site Request Forgery
Quick.Cart 3.4 / Quick.CMS 2.4 - Delete Function Cross-Site Request Forgery
---
source: https://www.securityfocus.com/bid/37115/info
Quick.Cart and Quick.CMS are prone to a cross-site request-forgery vulnerability because the applications allow users to bypass certain security checks.
Exploiting this issue may allow a remote attacker to perform certain administrative actions, gain unauthorized access to an affected application, or delete certain data. Other attacks are also possible.
Quick.Cart 3.4 and Quick.CMS 2.4 are vulnerable; other versions may also be affected.
NOTE: The vendor refutes this issue stating the issue can not be replicated as described.
Exploit-DB
Quick.Cart 3.4 / Quick.CMS 2.4 - Cross-Site Request Forgery
exploitdb·2009-11-24
CVE-2009-4120 Quick.Cart 3.4 / Quick.CMS 2.4 - Cross-Site Request Forgery
Quick.Cart 3.4 / Quick.CMS 2.4 - Cross-Site Request Forgery
---
Systems Affected: Quick.Cart 3.4 (other versions untested), Quick.CMS
2.4 (other versions untested)
Severity: Medium
Vendor: http://opensolution.org/
Author: Alice Kaerast
0. Timeline
25-10-2009 Vulnerability discovered
26-10-2009 Vendor contacted
23-11-2009 No response from vendor, report published
1. Background
Quick.Cart is a "freeware, simple and easy to use shopping cart script.
With this script you will be able to create products database and soon
you will be glad to recieve many orders from your customers."
Quick.CMS is a "freeware, fast and easy to customize Content Management
System. In few moments you will be able to add pages in different
languages and create your own web site."
Both products are used on a num
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/fulldisclosure/2009-11/0260.htmlhttp://www.securityfocus.com/bid/37115https://exchange.xforce.ibmcloud.com/vulnerabilities/54413http://archives.neohapsis.com/archives/fulldisclosure/2009-11/0260.htmlhttp://www.securityfocus.com/bid/37115https://exchange.xforce.ibmcloud.com/vulnerabilities/54413
2009-12-01
Published