Vulnerabilities > CVE-2013-1465 - Deserialization of Untrusted Data vulnerability in Cubecart

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

cubecart

CWE-502

critical

exploit available

NVD

Published: 2013-02-08

Updated: 2024-01-09

Summary

The Cubecart::_basket method in classes/cubecart.class.php in CubeCart 5.0.0 through 5.2.0 allows remote attackers to unserialize arbitrary PHP objects via a crafted shipping parameter, as demonstrated by modifying the application configuration using the Config object.

Vulnerable Configurations

Part	Description	Count
Application	Cubecart Cubecart Cubecart 5.0.0 Cubecart Cubecart 5.0.1 Cubecart Cubecart 5.0.2 Cubecart Cubecart 5.0.3 Cubecart Cubecart 5.0.4 Cubecart Cubecart 5.0.5 Cubecart Cubecart 5.0.6 Cubecart Cubecart 5.0.7 Cubecart Cubecart 5.0.8 Cubecart Cubecart 5.0.9 Cubecart Cubecart 5.1.0 Cubecart Cubecart 5.1.1 Cubecart Cubecart 5.1.2 Cubecart Cubecart 5.1.2.1 Cubecart Cubecart 5.1.2.2 Cubecart Cubecart 5.1.3 Cubecart Cubecart 5.1.4 Cubecart Cubecart 5.1.5 Cubecart Cubecart 5.2.0	19

Common Weakness Enumeration (CWE)

CWE-502 - Deserialization of Untrusted Data

Exploit-Db

description	CubeCart 5.2.0 (cubecart.class.php) PHP Object Injection Vulnerability. CVE-2013-1465. Webapps exploit for php platform
file	exploits/php/webapps/24465.txt
id	EDB-ID:24465
last seen	2016-02-02
modified	2013-02-07
platform	php
port
published	2013-02-07
reporter	EgiX
source	https://www.exploit-db.com/download/24465/
title	CubeCart 5.2.0 cubecart.class.php PHP Object Injection Vulnerability
type	webapps

Packetstorm

data source	https://packetstormsecurity.com/files/download/120094/KIS-2013-02.txt
id	PACKETSTORM:120094
last seen	2016-12-05
published	2013-02-06
reporter	EgiX
source	https://packetstormsecurity.com/files/120094/CubeCart-5.2.0-PHP-Object-Injection.html
title	CubeCart 5.2.0 PHP Object Injection

Seebug

bulletinFamily	exploit
description	No description provided by source.
id	SSV:78187
last seen	2017-11-19
modified	2014-07-01
published	2014-07-01
reporter	Root
source	https://www.seebug.org/vuldb/ssvid-78187
title	CubeCart 5.2.0 (cubecart.class.php) PHP Object Injection Vulnerability

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Exploit-Db

Packetstorm

Seebug

References