CS-Cart
CVE-2025-50847
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CSRF inherently requires UI:R; comparison list modification yields I:L only, with no confidentiality or availability impact.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Cross Site Request Forgery (CSRF) vulnerability in CS Cart 4.18.3, allows attackers to add products to a user's comparison list via a crafted HTTP request.
AnalysisAI
Cross-Site Request Forgery in CS-Cart 4.18.3 permits an attacker to silently add arbitrary products to an authenticated user's comparison list by tricking the victim into loading a crafted HTTP request. The impact is confined to unauthorized modification of the comparison list feature - no data exfiltration or account takeover is possible via this vector. No public exploit identified at time of analysis, and the EPSS score of 0.14% (4th percentile) reflects very low real-world exploitation interest.
Technical ContextAI
CS-Cart (cpe:2.3:a:cs-cart:cs-cart:4.18.3:*:*:*:*:*:*:*) is a PHP-based commercial e-commerce platform. CWE-352 (Cross-Site Request Forgery) describes a root cause where a web application accepts state-changing requests without verifying that the request originated from the legitimate user's own session - typically because anti-CSRF tokens are absent or not validated on the endpoint that manages the comparison list. An attacker who can serve content to a victim's browser (e.g., via a malicious link or embedded iframe) can forge a request that the victim's authenticated session will sign, causing the server to act on the attacker's behalf. The vulnerability is specific to version 4.18.3; no CPE data indicates earlier or later versions are confirmed affected.
RemediationAI
No vendor-released patch has been identified at time of analysis - the only available reference is a researcher-authored GitHub disclosure with no corresponding CS-Cart vendor advisory or patched release version. CS-Cart users on version 4.18.3 should monitor the official CS-Cart changelog and security advisories for a fix. As a compensating control, site administrators can consider disabling or restricting access to the product comparison feature if it is not business-critical, which eliminates the attack surface entirely. Additionally, a Web Application Firewall (WAF) rule that enforces the presence of a valid Referer or Origin header on state-changing requests can reduce exposure, though this is not a substitute for proper server-side CSRF token validation. Restricting the comparison list endpoint to authenticated sessions only - if not already the case - limits the attack to scenarios where the victim is logged in. The researcher disclosure is at https://github.com/hackerwahab/CS-Cart-Vulns/blob/main/CVE-2025-50847.md.
Cross-site request forgery (CSRF) vulnerability in CS-Cart 4.2.4 allows remote attackers to hijack the authentication of
Twigmo bundled with CS-Cart 4.3.9 and earlier and Twigmo bundled with CS-Cart Multi-Vendor 4.3.9 and earlier allow remot
Cross-site request forgery (CSRF) vulnerability in CS-Cart Japanese Edition v4.3.10 and earlier (excluding v2 and v3), C
Credential brute-forcing against CS-Cart 4.18.3 is possible because the vendor login endpoint ships without CAPTCHA, rat
The files function in the administration section in CS-Cart 4.6.2 and earlier allows attackers to execute arbitrary PHP
Unrestricted HTML file upload in CS-Cart 4.18.3 enables stored cross-site scripting and phishing attacks against users o
In CS-Cart version 4.11.1, it is possible to induce copy-paste XSS by manipulating the "post description" filed in the b
Cross-site scripting vulnerability in CS-Cart Japanese Edition v4.3.10 and earlier (excluding v2 and v3), CS-Cart Multiv
CS-Cart Japanese Edition v4.3.10 and earlier (excluding v2 and v3), CS-Cart Multivendor Japanese Edition v4.3.10 and ear
CS-Cart before 3.0.6, when PayPal Standard Payments is configured, allows remote attackers to set the payment recipient
Multiple cross-site scripting (XSS) vulnerabilities in CS-Cart before 4.1.1 allow remote attackers to inject arbitrary w
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today