Description
Cross-site request forgery (CSRF) vulnerability in VaM Shop 1.6, 1.6.1, and probably earlier versions allows remote attackers to hijack the authentication of administrators for requests that (1) change user status via admin/customers.php or (2) change user permissions via admin/accounting.php. NOTE: some of these details are obtained from third party information.
Exploits (1)
exploitdb
WORKING POC
by High-Tech Bridge SA · textwebappsphp
https://www.exploit-db.com/exploits/15968
References (5)
Core 5
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://osvdb.org/70431
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/42869
Exploit x_refsource_misc
http://www.htbridge.ch/advisory/xsrf_csrf_in_vam_shop.html
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/515613/100/0/threaded
Exploit, Third Party Advisory exploit
x_refsource_exploit-db
http://www.exploit-db.com/exploits/15968
Scores
EPSS
0.0031
EPSS Percentile
53.9%
Details
CWE
CWE-352
Status
published
Products (2)
vamsoft/vam_shop
1.6
vamsoft/vam_shop
< 1.6.1
Published
Jan 20, 2011
Tracked Since
Feb 18, 2026