Description
The Cubecart::_basket method in classes/cubecart.class.php in CubeCart 5.0.0 through 5.2.0 allows remote attackers to unserialize arbitrary PHP objects via a crafted shipping parameter, as demonstrated by modifying the application configuration using the Config object.
Remediation
References
Related Vulnerabilities
WordPress Plugin WPeMatico RSS Feed Fetcher Cross-Site Scripting (2.3.7)
WordPress Plugin BibleGet I/O Unspecified Vulnerability (3.4)
Jetty Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2021-34429)
WordPress Plugin SEO Plugin LiveOptim Multiple Vulnerabilities (1.1.8-free)
WordPress Plugin WP eCommerce 'cs1' Parameter SQL Injection (3.8.6)