CVE-2009-4120
Quick.Cart 3.4 - Cross-Site Request Forgery via Admin Orders-Delete Action
Title source: llmExploitation Summary
EIP tracks 2 public exploits for CVE-2009-4120. PoCs published by Alice Kaerast.
AI-analyzed exploit summary This exploit demonstrates a CSRF vulnerability in Quick.Cart and Quick.CMS, allowing attackers to perform unauthorized administrative actions via crafted image or iframe tags. The PoC targets specific admin endpoints to delete orders or pages without user interaction.
Description
Multiple cross-site request forgery (CSRF) vulnerabilities in Quick.Cart 3.4 allow remote attackers to hijack the authentication of the administrator for requests that (1) delete orders via an orders-delete action to admin.php, and possibly (2) delete products or (3) delete pages via unspecified vectors.
Exploits (2)
This exploit demonstrates a CSRF vulnerability in Quick.Cart and Quick.CMS, allowing attackers to perform unauthorized administrative actions via crafted image or iframe tags. The PoC targets specific admin endpoints to delete orders or pages without user interaction.
This is a writeup describing a CSRF vulnerability in Quick.Cart 3.4 and Quick.CMS 2.4, where an attacker can trick an authenticated administrator into deleting products, pages, or orders via crafted HTML elements like img or iframe tags.