Vulnerabilites related to cubecart - v6
CVE-2025-59413 (GCVE-0-2025-59413)
Vulnerability from cvelistv5
Published
2025-09-22 16:15
Modified
2025-09-22 17:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
CubeCart is an ecommerce software solution. Prior to version 6.5.11, a logic flaw exists in the newsletter subscription endpoint that allows an attacker to unsubscribe any user without their consent. By changing the value of the force_unsubscribe parameter in the POST request to 1, an attacker can force the removal of any valid subscriber’s email address. This issue has been patched in version 6.5.11.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/cubecart/v6/security/advisories/GHSA-869v-gjv8-9m7f | x_refsource_CONFIRM | |
| https://github.com/cubecart/v6/commit/7fd1cd04f5d5c3ce1d7980327464f0ff6551de79 | x_refsource_MISC | |
| https://github.com/cubecart/v6/commit/db965fcfa260c4f17eb16f8c5494e5af4a8ac271 | x_refsource_MISC | |
| https://github.com/cubecart/v6/commit/dbc58cf1f7a6291f7add5893b56bff7920a29128 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59413",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-22T16:53:24.182448Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-22T17:26:29.173Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/cubecart/v6/security/advisories/GHSA-869v-gjv8-9m7f"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "v6",
"vendor": "cubecart",
"versions": [
{
"status": "affected",
"version": "\u003c 6.5.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CubeCart is an ecommerce software solution. Prior to version 6.5.11, a logic flaw exists in the newsletter subscription endpoint that allows an attacker to unsubscribe any user without their consent. By changing the value of the force_unsubscribe parameter in the POST request to 1, an attacker can force the removal of any valid subscriber\u2019s email address. This issue has been patched in version 6.5.11."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-22T16:15:00.351Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/cubecart/v6/security/advisories/GHSA-869v-gjv8-9m7f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/cubecart/v6/security/advisories/GHSA-869v-gjv8-9m7f"
},
{
"name": "https://github.com/cubecart/v6/commit/7fd1cd04f5d5c3ce1d7980327464f0ff6551de79",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cubecart/v6/commit/7fd1cd04f5d5c3ce1d7980327464f0ff6551de79"
},
{
"name": "https://github.com/cubecart/v6/commit/db965fcfa260c4f17eb16f8c5494e5af4a8ac271",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cubecart/v6/commit/db965fcfa260c4f17eb16f8c5494e5af4a8ac271"
},
{
"name": "https://github.com/cubecart/v6/commit/dbc58cf1f7a6291f7add5893b56bff7920a29128",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cubecart/v6/commit/dbc58cf1f7a6291f7add5893b56bff7920a29128"
}
],
"source": {
"advisory": "GHSA-869v-gjv8-9m7f",
"discovery": "UNKNOWN"
},
"title": "CubeCart Unauthorized Newsletter Unsubscription via force_unsubscribe Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59413",
"datePublished": "2025-09-22T16:15:00.351Z",
"dateReserved": "2025-09-15T19:13:16.903Z",
"dateUpdated": "2025-09-22T17:26:29.173Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59411 (GCVE-0-2025-59411)
Vulnerability from cvelistv5
Published
2025-09-22 16:14
Modified
2025-09-22 17:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
CubeCart is an ecommerce software solution. Prior to version 6.5.11, the contact form’s Enquiry field accepts raw HTML and that HTML is included verbatim in the email sent to the store admin. By submitting HTML in the Enquiry, the admin receives an email containing that HTML. This indicates user input is not being escaped or sanitized before being output in email (and possibly when re-rendering the form), leading to Cross-Site Scripting / HTML injection risk in email clients or admin UI. This issue has been patched in version 6.5.11.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/cubecart/v6/security/advisories/GHSA-5hg3-m3q3-v2p4 | x_refsource_CONFIRM | |
| https://github.com/cubecart/v6/commit/299065bd4a8836782ce92f70988c730f130756db | x_refsource_MISC | |
| https://github.com/cubecart/v6/commit/48336c54532705873a8c4106208c2d596f128047 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59411",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-22T16:53:47.514587Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-22T17:26:43.827Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/cubecart/v6/security/advisories/GHSA-5hg3-m3q3-v2p4"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "v6",
"vendor": "cubecart",
"versions": [
{
"status": "affected",
"version": "\u003c 6.5.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CubeCart is an ecommerce software solution. Prior to version 6.5.11, the contact form\u2019s Enquiry field accepts raw HTML and that HTML is included verbatim in the email sent to the store admin. By submitting HTML in the Enquiry, the admin receives an email containing that HTML. This indicates user input is not being escaped or sanitized before being output in email (and possibly when re-rendering the form), leading to Cross-Site Scripting / HTML injection risk in email clients or admin UI. This issue has been patched in version 6.5.11."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-22T16:14:23.843Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/cubecart/v6/security/advisories/GHSA-5hg3-m3q3-v2p4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/cubecart/v6/security/advisories/GHSA-5hg3-m3q3-v2p4"
},
{
"name": "https://github.com/cubecart/v6/commit/299065bd4a8836782ce92f70988c730f130756db",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cubecart/v6/commit/299065bd4a8836782ce92f70988c730f130756db"
},
{
"name": "https://github.com/cubecart/v6/commit/48336c54532705873a8c4106208c2d596f128047",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cubecart/v6/commit/48336c54532705873a8c4106208c2d596f128047"
}
],
"source": {
"advisory": "GHSA-5hg3-m3q3-v2p4",
"discovery": "UNKNOWN"
},
"title": "CubeCart Stored/Reflected HTML Injection Vulnerability in Contact Enquiry"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59411",
"datePublished": "2025-09-22T16:14:23.843Z",
"dateReserved": "2025-09-15T19:13:16.903Z",
"dateUpdated": "2025-09-22T17:26:43.827Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59412 (GCVE-0-2025-59412)
Vulnerability from cvelistv5
Published
2025-09-22 16:14
Modified
2025-09-22 17:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
CubeCart is an ecommerce software solution. Prior to version 6.5.11, a vulnerability exists in the product reviews feature where user-supplied input is not properly sanitized before being displayed. An attacker can submit HTML tags inside the review description field. Once the administrator approves the review, the injected HTML is rendered on the product page for all visitors. This could be used to redirect users to malicious websites or to display unwanted content. This issue has been patched in version 6.5.11.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/cubecart/v6/security/advisories/GHSA-qfrx-vvvp-h5m2 | x_refsource_CONFIRM | |
| https://github.com/cubecart/v6/commit/1a0c0d8f6c9c141575eb5be07d04e7d49820005b | x_refsource_MISC | |
| https://github.com/cubecart/v6/commit/7d4bf593304332fa1258d4f0b10dd7c9f6283a86 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59412",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-22T16:53:36.543616Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-22T17:26:36.393Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/cubecart/v6/security/advisories/GHSA-qfrx-vvvp-h5m2"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "v6",
"vendor": "cubecart",
"versions": [
{
"status": "affected",
"version": "\u003c 6.5.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CubeCart is an ecommerce software solution. Prior to version 6.5.11, a vulnerability exists in the product reviews feature where user-supplied input is not properly sanitized before being displayed. An attacker can submit HTML tags inside the review description field. Once the administrator approves the review, the injected HTML is rendered on the product page for all visitors. This could be used to redirect users to malicious websites or to display unwanted content. This issue has been patched in version 6.5.11."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-22T16:14:44.152Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/cubecart/v6/security/advisories/GHSA-qfrx-vvvp-h5m2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/cubecart/v6/security/advisories/GHSA-qfrx-vvvp-h5m2"
},
{
"name": "https://github.com/cubecart/v6/commit/1a0c0d8f6c9c141575eb5be07d04e7d49820005b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cubecart/v6/commit/1a0c0d8f6c9c141575eb5be07d04e7d49820005b"
},
{
"name": "https://github.com/cubecart/v6/commit/7d4bf593304332fa1258d4f0b10dd7c9f6283a86",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cubecart/v6/commit/7d4bf593304332fa1258d4f0b10dd7c9f6283a86"
}
],
"source": {
"advisory": "GHSA-qfrx-vvvp-h5m2",
"discovery": "UNKNOWN"
},
"title": "CubeCart Vulnerable to HTML Injection in Product Reviews Allows Malicious Links and Defacement"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59412",
"datePublished": "2025-09-22T16:14:44.152Z",
"dateReserved": "2025-09-15T19:13:16.903Z",
"dateUpdated": "2025-09-22T17:26:36.393Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59335 (GCVE-0-2025-59335)
Vulnerability from cvelistv5
Published
2025-09-22 16:13
Modified
2025-09-22 17:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-613 - Insufficient Session Expiration
Summary
CubeCart is an ecommerce software solution. Prior to version 6.5.11, there is an absence of automatic session expiration following a user's password change. This oversight poses a security risk, as if a user forgets to log out from a location where they accessed their account, an unauthorized user can maintain access even after the password has been changed. Due to this bug, if an account has already been compromised, the legitimate user has no way to revoke the attacker’s access. The malicious actor retains full access to the account until their session naturally expires. This means the account remains insecure even after the password has been changed. This issue has been patched in version 6.5.11.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/cubecart/v6/security/advisories/GHSA-4vwh-x8m2-fmvv | x_refsource_CONFIRM | |
| https://github.com/cubecart/v6/commit/4bfaeb4485dd82255a108940a163af5ba4583b52 | x_refsource_MISC | |
| https://github.com/cubecart/v6/commit/62d9be8416aa6fd7343f8932d98c5b112b163e26 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59335",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-22T16:53:59.799475Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-22T17:26:51.453Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/cubecart/v6/security/advisories/GHSA-4vwh-x8m2-fmvv"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "v6",
"vendor": "cubecart",
"versions": [
{
"status": "affected",
"version": "\u003c 6.5.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CubeCart is an ecommerce software solution. Prior to version 6.5.11, there is an absence of automatic session expiration following a user\u0027s password change. This oversight poses a security risk, as if a user forgets to log out from a location where they accessed their account, an unauthorized user can maintain access even after the password has been changed. Due to this bug, if an account has already been compromised, the legitimate user has no way to revoke the attacker\u2019s access. The malicious actor retains full access to the account until their session naturally expires. This means the account remains insecure even after the password has been changed. This issue has been patched in version 6.5.11."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-22T16:13:23.838Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/cubecart/v6/security/advisories/GHSA-4vwh-x8m2-fmvv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/cubecart/v6/security/advisories/GHSA-4vwh-x8m2-fmvv"
},
{
"name": "https://github.com/cubecart/v6/commit/4bfaeb4485dd82255a108940a163af5ba4583b52",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cubecart/v6/commit/4bfaeb4485dd82255a108940a163af5ba4583b52"
},
{
"name": "https://github.com/cubecart/v6/commit/62d9be8416aa6fd7343f8932d98c5b112b163e26",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cubecart/v6/commit/62d9be8416aa6fd7343f8932d98c5b112b163e26"
}
],
"source": {
"advisory": "GHSA-4vwh-x8m2-fmvv",
"discovery": "UNKNOWN"
},
"title": "CubeCart Session Not Invalidated After Password Change"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59335",
"datePublished": "2025-09-22T16:13:23.838Z",
"dateReserved": "2025-09-12T12:36:24.635Z",
"dateUpdated": "2025-09-22T17:26:51.453Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}