CVE-2009-3904

CubeCart 4.3.4 - Unauthenticated Administrative Access Bypass via Empty Session ID or Headers

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-3904. PoCs published by Bogdan Calin.

AI-analyzed exploit summary This exploit demonstrates an authentication bypass in CubeCart 4.3.4 by manipulating session management. It leverages empty session IDs, user agents, and X_CLUSTER_CLIENT_IP headers to gain administrative access and perform actions like database dumps.

Description

classes/session/cc_admin_session.php in CubeCart 4.3.4 does not properly restrict administrative access permissions, which allows remote attackers to bypass restrictions and gain administrative access via a HTTP request that contains an empty (1) sessID (ccAdmin cookie), (2) X_CLUSTER_CLIENT_IP header, or (3) User-Agent header.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Bogdan Calin · textwebappsphp
https://www.exploit-db.com/exploits/9875

This exploit demonstrates an authentication bypass in CubeCart 4.3.4 by manipulating session management. It leverages empty session IDs, user agents, and X_CLUSTER_CLIENT_IP headers to gain administrative access and perform actions like database dumps.

Classification
Working Poc 100%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: CubeCart v4.3.4
No auth needed
Prerequisites: Access to the target CubeCart admin interface · Ability to send crafted HTTP requests
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (9)

Core 9
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/54062
Exploit vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1023120
Patch, Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2009/3113
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/507594/100/0/threaded
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/37197
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/36882

Scores

EPSS 0.0867
EPSS Percentile 94.4%

Details

CWE
CWE-264
Status published
Products (1)
cubecart/cubecart 4.3.4
Published Nov 06, 2009
Tracked Since Feb 18, 2026