CVE-2011-5011
xt:Commerce 3.0.4 SP2.1 - Cross-Site Request Forgery via cID Parameter
Title source: llmDescription
Multiple cross-site request forgery (CSRF) vulnerabilities in xt:Commerce 3.0.4 SP2.1 and possibly earlier allow remote attackers to hijack the authentication of Admins for requests that (1) set a New user to Admin via the cID parameter to a statusconfirm action in admin/customers.php and (2) grant permissions to users via the cID parameter to a save action in admin/accounting.php.
References (5)
Core 5
Core References
Third Party Advisory x_refsource_misc
http://dishix.blogspot.com/p/xtcommerce-v304-sp21-cross-site-request_29.html
Broken Link vdb-entry
x_refsource_osvdb
http://osvdb.org/77498
VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/71642
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/47032
Third Party Advisory x_refsource_misc
http://dishix.blogspot.com/2011/11/exploiting-xtcommerce-v304-sp21-cross.html
Scores
EPSS
0.0339
EPSS Percentile
87.4%
Details
CWE
CWE-352
Status
published
Products (1)
xt-commerce/xt-commerce
3.0.4 sp2.1
Published
Dec 25, 2011
Tracked Since
Feb 18, 2026