{"vuid":"VU#583564","idnumber":"583564","name":"CS-Cart v3.0.4 configured with PayPal Standard Payments design vulnerability","keywords":["cs-cart","paypal"],"overview":"CS-Cart v3.0.4 and possibly other versions configured with PayPal Standard Payment is susceptible to a client-side attack that results in an attacker purchasing items without having to pay for them.","clean_desc":"It has been reported that CS-Cart v3.0.4 configured with PayPal Standard Payments contains a design flaw that allows an attacker to buy items without having to pay for them. The parameter for the merchant's PayPal email address is controlled on the client-side and not verified by the server. This allows an attacker to change the PayPal email address to one the attacker controls allowing the attacker to purchase items on a website but effectively pay themselves instead of the merchant. Manual verification of website orders with the PayPal transactions would need to be performed to detect this fraud.","impact":"An attacker can effectively purchase items without paying the merchant for them.","resolution":"Update The vendor has stated that this vulnerability has been addressed in CS-Cart version 3.0.6. They have also released the security patch for the older versions (3.0.x & 2.2.x).","workarounds":"","sysaffected":"","thanks":"Thanks to Giancarlo Pellegrino Institute Eurecom and SAP Research for reporting this vulnerability.","author":"This document was written by Michael Orlando.","public":["h","t","t","p","s",":","/","/","w","w","w",".","c","s","-","c","a","r","t",".","c","o","m","/","o","v","e","r","v","i","e","w",".","h","t","m","l"],"cveids":["CVE-2013-0118"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2013-01-22T15:19:30Z","publicdate":"2013-02-15T00:00:00Z","datefirstpublished":"2013-02-22T13:06:44Z","dateupdated":"2013-02-22T13:06:49Z","revision":11,"vrda_d1_directreport":"1","vrda_d1_population":"2","vrda_d1_impact":"3","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"M","cvss_authentication":null,"cvss_confidentialityimpact":"N","cvss_integrityimpact":"C","cvss_availabilityimpact":"N","cvss_exploitablity":null,"cvss_remediationlevel":"OF","cvss_reportconfidence":"UC","cvss_collateraldamagepotential":"L","cvss_targetdistribution":"L","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"7.1","cvss_basevector":"AV:N/AC:M/Au:N/C:N/I:C/A:N","cvss_temporalscore":"4.7","cvss_environmentalscore":"1.3","cvss_environmentalvector":"CDP:L/TD:L/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}