Published:2017/04/10  Last Updated:2017/04/10

JVN#87770873
CS-Cart Japanese Edition vulnerable to cross-site request forgery

Overview

CS-Cart Japanese Edition contains a cross-site request forgery vulnerability.

Products Affected

  • CS-Cart Japanese Edition v4.3.10 and earlier (excluding v2 and v3)
  • CS-Cart Multivendor Japanese Edition v4.3.10 and earlier (excluding v2 and v3)

Description

​CS-Cart is a system for creating online shopping websites. CS-Cart Japanese Edition contains a cross-site request forgery (CWE-352) vulnerability.

Impact

If a consumer views a malicious page while logged in, an unintended item may be purchased.

Solution

Update the Software
Update to the latest version according to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
Frogman Office Inc. Vulnerable 2017/04/10 Frogman Office Inc. website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Base Score: 4.3
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N
Base Score: 2.6
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

Hirota Kazuki of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2017-2138
JVN iPedia JVNDB-2017-000057