Vulnerability Note VU#583564
CS-Cart v3.0.4 configured with PayPal Standard Payments design vulnerability
Overview
CS-Cart v3.0.4 and possibly other versions configured with PayPal Standard Payment is susceptible to a client-side attack that results in an attacker purchasing items without having to pay for them.
Description
It has been reported that CS-Cart v3.0.4 configured with PayPal Standard Payments contains a design flaw that allows an attacker to buy items without having to pay for them. The parameter for the merchant's PayPal email address is controlled on the client-side and not verified by the server. This allows an attacker to change the PayPal email address to one the attacker controls allowing the attacker to purchase items on a website but effectively pay themselves instead of the merchant. Manual verification of website orders with the PayPal transactions would need to be performed to detect this fraud. |
Impact
An attacker can effectively purchase items without paying the merchant for them. |
Solution
Update The vendor has stated that this vulnerability has been addressed in CS-Cart version 3.0.6. They have also released the security patch for the older versions (3.0.x & 2.2.x). |
Vendor Information (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| CS-Cart | Affected | 24 Jan 2013 | 18 Feb 2013 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | 7.1 | AV:N/AC:M/Au:N/C:N/I:C/A:N |
| Temporal | 4.7 | E:U/RL:OF/RC:UC |
| Environmental | 1.3 | CDP:L/TD:L/CR:ND/IR:ND/AR:ND |
References
Credit
Thanks to Giancarlo Pellegrino Institute Eurecom and SAP Research for reporting this vulnerability.
This document was written by Michael Orlando.
Other Information
- CVE IDs: CVE-2013-0118
- Date Public: 15 Feb 2013
- Date First Published: 22 Feb 2013
- Date Last Updated: 22 Feb 2013
- Document Revision: 11
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.