CVE-2009-3904
Summary
| CVE | CVE-2009-3904 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2009-11-06 15:30:00 UTC |
| Updated | 2018-10-10 19:47:00 UTC |
| Description | classes/session/cc_admin_session.php in CubeCart 4.3.4 does not properly restrict administrative access permissions, which allows remote attackers to bypass restrictions and gain administrative access via a HTTP request that contains an empty (1) sessID (ccAdmin cookie), (2) X_CLUSTER_CLIENT_IP header, or (3) User-Agent header. |
Risk And Classification
Problem Types: CWE-264
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| CubeCart Session Management Flaw Lets Remote Users Gain Administrative Access - SecurityTracker | SECTRACK | www.securitytracker.com | Exploit |
| CubeCart < 4.3.5 Session Vulnerability - CubeCart Forums | CONFIRM | forums.cubecart.com | Patch |
| IBM X-Force Exchange | XF | exchange.xforce.ibmcloud.com | |
| CubeCart 4.3.5 Released - CubeCart Forums | CONFIRM | forums.cubecart.com | |
| CubeCart Administrative Session Handling Security Bypass Vulnerability - Secunia Advisories - Vulnerability Information - Secunia.com | SECUNIA | secunia.com | Vendor Advisory |
| SecurityFocus | BUGTRAQ | www.securityfocus.com | |
| CubeCart 'admin.php' Authentication Bypass Vulnerability | BID | www.securityfocus.com | Exploit |
| Webmail : Solution de messagerie professionnelle - OVHcloud- OVH | VUPEN | www.vupen.com | Patch, Vendor Advisory |
| Acunetix Web Application Security Blog » CubeCart 4 session management bypass leads to administrator access | MISC | www.acunetix.com | Exploit |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.