X-Cart Concierge Module Information Disclosure

medium Web App Scanning Plugin ID 112893

Language:

Synopsis

X-Cart Concierge Module Information Disclosure

Description

X-Cart Concierge module has been detected on the target X-Cart installation.

This may present an attacker with sensitive information to mount further attacks & may leak the admin account email used to log into the store, official company name, license type of the store and other sensitive data

Solution

Disable the Concierge module or restrict access to the admin page.

See Also

https://kb.x-cart.com/general_setup/admin/overview.html#concierge

https://kb.x-cart.com/general_setup/store_security/secure_configuration.html

Plugin Details

Severity: Medium

ID: 112893

Type: remote

Family: Web Applications

Published: 7/9/2021

Updated: 11/26/2021

Scan Template: basic, full, pci, scan

Risk Information

VPR

Risk Factor: Low

Score: 1.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS Score Source: Tenable

Reference Information

CWE: 538

OWASP: 2010-A6, 2013-A5, 2017-A6, 2021-A1

WASC: Predictable Resource Location

CAPEC: 95

DISA STIG: APSC-DV-002480

HIPAA: 164.312(a)(1), 164.312(a)(2)(i)

ISO: 27001-A.13.1.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.18.1.3, 27001-A.6.2.2, 27001-A.9.1.2, 27001-A.9.4.1, 27001-A.9.4.4, 27001-A.9.4.5

NIST: sp800_53-AC-3

OWASP API: 2019-API7, 2023-API8

PCI-DSS: 3.2-2.2