icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

Comersus Cart < 7.099 Remote Password Disclosure

High

Synopsis

The remote web application allows unauthorized access to other user accounts.

Description

The installed version of Comersus Cart on the remote host suffers from a flaw where registered users can modify the email address and password of other users. The root cause is a failure of the 'comersus_customerModifyExec.asp' script to sanitize user-supplied input. An attacker exploiting this flaw would be able to change the credentials of other users.

Solution

Upgrade to version 7.099 or higher.