CVE-2013-1465

CRITICAL

Cubecart < 5.2.0 - Insecure Deserialization

Title source: rule

Description

The Cubecart::_basket method in classes/cubecart.class.php in CubeCart 5.0.0 through 5.2.0 allows remote attackers to unserialize arbitrary PHP objects via a crafted shipping parameter, as demonstrated by modifying the application configuration using the Config object.

Exploits (1)

exploitdb WRITEUP VERIFIED

by EgiX · textwebappsphp

https://www.exploit-db.com/exploits/24465

View Code ZIP pw:eip

References (9)

[Broken Link] http://archives.neohapsis.com/archives/bugtraq/2013-02/0032.html

[Patch] http://forums.cubecart.com/?showtopic=47026

[Exploit] http://karmainsecurity.com/KIS-2013-02

[Broken Link] http://osvdb.org/89923

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/120094/CubeCart-5.2.0-PHP-Object-Injection.html

[Not Applicable] http://secunia.com/advisories/52072

[Exploit, Third Party Advisory, VDB Entry] http://www.exploit-db.com/exploits/24465

[Broken Link] http://www.securityfocus.com/bid/57770

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/81920

Scores

CVSS v3 9.8

EPSS 0.3101

EPSS Percentile 96.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status draft

Affected Products (1)

cubecart/cubecart < 5.2.0

Timeline

Published Feb 08, 2013

Tracked Since Feb 18, 2026