CVE-2025-50849
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Primary rating from Vendor (mitre) · only source for this CVE.
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
CS Cart 4.18.3 is vulnerable to Insecure Direct Object Reference (IDOR). The user profile functionality allows enabling or disabling stickers through a parameter (company_id) sent in the request. However, this operation is not properly validated on the server side. An authenticated user can manipulate the request to target other users' accounts and toggle the sticker setting by modifying the company_id or other object identifiers.
AnalysisAI
Insecure Direct Object Reference in CS-Cart 4.18.3 lets an authenticated shopper toggle the 'sticker' enable/disable setting on other users' accounts by tampering with the company_id (or similar object identifier) parameter in the user-profile request, because the server never verifies that the caller owns the referenced object. A public technical write-up documenting the request manipulation exists on GitHub, though the flaw is not in CISA KEV and carries a low EPSS score (0.26%, 17th percentile), indicating no confirmed active exploitation. The real-world impact is a low-severity authorization/integrity issue rather than the account takeover implied by the reported CVSS of 8.0.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today