CVE-2025-59413
BaseFortify
Publication date: 2025-09-22
Last updated on: 2025-09-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cubecart | cubecart | to 6.5.11 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-59413 is a logic flaw in CubeCart ecommerce software versions prior to 6.5.11, specifically in the newsletter subscription endpoint. An attacker can exploit the vulnerability by setting the 'force_unsubscribe' parameter to 1 in a POST request with a victim's email address, which forcibly unsubscribes that user from the newsletter without their consent or knowledge. This bypasses authorization checks and requires no privileges or user interaction, allowing remote exploitation to silently remove legitimate subscribers. [2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to unsubscribe legitimate users from your newsletter without their consent. This can disrupt important communications, undermine user trust, and potentially cause loss of engagement or revenue. Since the unsubscription happens silently and without user interaction, it can also damage your reputation and the reliability of your mailing list management. [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability can negatively affect compliance with regulations such as GDPR and HIPAA because it allows unauthorized modification of user subscription status without explicit user consent. These regulations require that users have control over their personal data and communications preferences, and unauthorized unsubscriptions violate these principles, potentially leading to regulatory non-compliance and associated penalties. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring POST requests to the newsletter subscription endpoint for the presence of the parameter `force_unsubscribe=1`. An example detection method is to capture and inspect HTTP POST traffic targeting the newsletter subscription URL and check if any requests include `force_unsubscribe=1` with an email address different from the requestor. Commands to detect this could include using network traffic analysis tools such as tcpdump or Wireshark to filter HTTP POST requests, or using command-line tools like curl or grep on server logs to find suspicious POST parameters. For example, on a server with access logs, you could run: `grep 'force_unsubscribe=1' /path/to/access.log` to find attempts to forcibly unsubscribe users. Additionally, monitoring database changes to the newsletter subscriber table for unexpected removals could help detect exploitation. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading CubeCart to version 6.5.11 or later, where the vulnerability is patched by implementing a token-based confirmation mechanism for newsletter unsubscriptions. This patch requires users to confirm unsubscription via a unique token sent to their email, preventing unauthorized removals. If upgrading immediately is not possible, consider monitoring and blocking POST requests containing `force_unsubscribe=1` at the web application firewall or network level to prevent exploitation. Additionally, review and restrict access to the newsletter subscription endpoint and audit subscriber removals for suspicious activity. [3, 4]