CVE-2018-25343

Smartshop 1 Cross-Site Request Forgery via editprofile.php

CVSS 5.3 MEDIUMEPSS 0.1%CWE-352

Smartshop 1 contains a cross-site request forgery vulnerability that allows attackers to modify user profiles by tricking authenticated users into submitting malicious requests. Attackers can craft HTML forms targeting editprofile.php with hidden fields for email and password parameters that execute automatically when visited by an authenticated admin user.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L

Productos afectados

Behance · Smartshop

PoCs públicas encontradas — 1

cve_referencewww.exploit-db.com/exploits/44824no verificado

⚠ Recursos públicos, para evaluar la exposición de sistemas que controlas o estás autorizado a probar. Prueba solo con autorización.

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/smakosh/Smartshop/archive/master.zip https://www.behance.net/gallery/49080415/Smartshop-Free-e-commerce-website https://www.exploit-db.com/exploits/44824 https://www.vulncheck.com/advisories/smartshop-1-cross-site-request-forgery-via-editprofile-php