CVE-2020-9009

LOW

ShipStation.com plugin for CS-Cart < 1.1 - Unauthenticated Database Manipulation via shipnotify Endpoint

Title source: llm
STIX 2.1

Description

The ShipStation.com plugin 1.1 and earlier for CS-Cart allows remote attackers to insert arbitrary information into the database (via action=shipnotify) because access to this endpoint is completely unchecked. The attacker must guess an order number.

References (2)

Core 2
Core References
Exploit, Patch, Third Party Advisory
https://www.jerdiggity.com/node/870

Scores

CVSS v3 3.7
EPSS 0.0063
EPSS Percentile 46.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-862
Status published
Products (1)
shipstation/shipstation < 1.1
Published Apr 11, 2023
Tracked Since Feb 18, 2026