Jump to content

Critical Security Issue: Admin account hijack


Al Brookbanks

Recommended Posts

A critical security vulnerability has been brought to our attention by Fernando Camara. If an administrator's email is known to a hacker it may be possible to take control of the account and have complete access to the store's control panel.

Affected Versions: 5.2.12 to 6.0.6 

To patch please download the following files and replace them over your existing ones. It is then recommended to login and change all administrator passwords.

CubeCart v6 Patch: classes/admin.class.php (GitHub commit: 2bee289)
CubeCart v5 Patch: classes/admin.class.php (GitHub commit: 353d39b)

CubeCart 5.2.17 and 6.0.7 will be released later today patching this vulnerability.

Many thanks to Fernando for reporting this issue in such a responsible manner. At CubeCart we take security as our number one priority. We apologise sincerely to anyone who has been victimised by this issue. The issue was first reported to us at 12:50pm on Sunday 6th September and patches have been released in less than 24 hours.

Link to comment
Share on other sites

×
×
  • Create New...