CVE-2020-12101
MEDIUMxt:Commerce 5.1-6.2.2 - Authenticated Address Deletion via ID Manipulation
Title source: llmDescription
The address-management feature in xt:Commerce 5.1 to 6.2.2 allows remote authenticated users to zero out other user's stored addresses by manipulating an id field in the POST request for altering an address.
References (4)
Core 4
Core References
Exploit, Patch, Third Party Advisory x_refsource_misc
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-012.txt
Patch, Vendor Advisory x_refsource_confirm
https://helpdesk.xt-commerce.com/index.php?/Knowledgebase/Article/View/1784/294/adressbuch-sicherheitspatch-17042020-fr-xtcommerce-51-bis-622
Exploit, Mailing List, Patch, Third Party Advisory mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2020/May/0
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/157534/xt-Commerce-5.4.1-6.2.1-6.2.2-Improper-Access-Control.html
Scores
CVSS v3
4.3
EPSS
0.0199
EPSS Percentile
78.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Details
CWE
CWE-276
Status
published
Products (1)
xt-commerce/xt-commerce
5.1.0 - 6.2.2
Published
Apr 30, 2020
Tracked Since
Feb 18, 2026