CVE-2025-50849
BaseFortify
Publication date: 2025-07-31
Last updated on: 2025-07-31
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cs_cart | cs_cart | 4.18.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Insecure Direct Object Reference (IDOR) in CS Cart 4.18.3. It occurs because the user profile functionality allows enabling or disabling stickers via a parameter (company_id) sent in the request, but the server does not properly validate this parameter. As a result, an authenticated user can manipulate the request to affect other users' accounts by changing the company_id or other object identifiers.
How can this vulnerability impact me? :
An attacker who is authenticated can exploit this vulnerability to modify settings on other users' accounts without authorization, such as toggling sticker settings. This could lead to unauthorized changes in user profiles and potentially impact user experience or trust in the application.