CVE-2015-6928

NONE EPSS 80.3%
Published Sep 28, 201510y ago · Modified Jun 17, 20262w ago
Find Similar
Published Sep 28, 2015 10y ago
Last Modified Jun 17, 2026 2w ago

Description

classes/admin.class.php in CubeCart 5.2.12 through 5.2.16 and 6.x before 6.0.7 does not properly validate that a password reset request was made, which allows remote attackers to change the administrator password via a recovery request with a space character in the validate parameter and the administrator email in the email parameter.

Threat Intelligence

EPSS Exploit Probability
80.3% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-284

Affected Products 11

VendorProductVersionRange
cubecartcubecart5.2.12any
cubecartcubecart5.2.13any
cubecartcubecart5.2.14any
cubecartcubecart5.2.15any
cubecartcubecart6.0.0any
cubecartcubecart6.0.1any
cubecartcubecart6.0.2any
cubecartcubecart6.0.3any
cubecartcubecart6.0.4any
cubecartcubecart6.0.5any
cubecartcubecart6.0.6any

References 4

  • packetstormsecurity.com http://packetstormsecurity.com/files/133535/CubeCart-6.0.6-Administrative-Bypass.html
    Exploit
  • seclists.org http://seclists.org/fulldisclosure/2015/Sep/40
    Exploit
  • securitytracker.com http://www.securitytracker.com/id/1034015
  • forums.cubecart.com https://forums.cubecart.com/topic/50277-critical-security-issue-admin-account-hijack/
    PatchVendor Advisory

Remediation

  • forums.cubecart.com https://forums.cubecart.com/topic/50277-critical-security-issue-admin-account-hijack/
    PatchVendor Advisory