CRITICAL🇵🇱 Wersja polska

CVE-2023-26689

CVSS 9.8v3.1pub. 2024-09-25upd. 2025-04-24

An issue discovered in CS-Cart MultiVendor 4.16.1 allows attackers to alter arbitrary user account profiles via crafted post request.

🤖 AI Analysis
How it works

An attacker sends a crafted POST request to the application interface, which allows changing data of any user account. The vulnerability results from insufficient authorization (CWE-286) — the system does not properly verify whether the requester has permissions to modify the specified profile. According to the references, the vulnerability is related to insufficient authorization when creating API keys in CS-Cart MultiVendor.

Impact

An attacker can take control of any user account by modifying their profile data, which can lead to complete breach of confidentiality, integrity and availability of data in the system.

Mitigation & patch

Apply patches available from the manufacturer according to the references. It is also recommended to restrict access to the API interface at the firewall level and monitor unexpected POST requests modifying user profiles.

Who is affected

CS-Cart MultiVendor version 4.16.1

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Cs Cart Multivendor

    APP
    Cs-Cart
    4.16.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2023-26686CRITICAL9.8PL ✓ten sam produkt

Niebezpieczne przesyłanie plików w CS-Cart MultiVendor umożliwia RCE

CVE-2023-26687HIGH8.8ten sam produkt

Directory Traversal vulnerability in CS-Cart MultiVendor 4.16.1 allows remote attackers to obtain sensitive in...

CVE-2023-26690HIGH8.8ten sam produkt

File Upload vulnerability in CS-Cart MultiVendor 4.16.1 allows remote attackers to run arbitrary code via File...

CVE-2023-26691HIGH7.2ten sam produkt

Directory Traversal vulnerability in CS-Cart MultiVendor 4.16.1 allows remote attackers to run arbitrary code ...

CVE-2017-2138HIGH8.8ten sam produkt

Cross-site request forgery (CSRF) vulnerability in CS-Cart Japanese Edition v4.3.10 and earlier (excluding v2 ...