Login Sign Up

CVE-2023-38130

8.1 HIGH
CSRF

📋 TL;DR

A cross-site request forgery (CSRF) vulnerability in CubeCart e-commerce software allows unauthenticated remote attackers to delete data from the system. This affects all CubeCart installations prior to version 6.5.3. Attackers can exploit this by tricking authenticated administrators into visiting malicious web pages.

💻 Affected Systems

Products:
  • CubeCart
Versions: All versions prior to 6.5.3
Operating Systems: Any OS running CubeCart
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations of affected versions are vulnerable. No special configuration required for exploitation.

📦 What is this software?

Cubecart by Cubecart

View all CVEs affecting Cubecart →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete data loss including product catalogs, customer information, orders, and configuration settings, potentially causing business disruption and data breach.

🟠

Likely Case

Partial data deletion affecting product listings, customer accounts, or order history, leading to operational impact and potential data integrity issues.

🟢

If Mitigated

No impact if proper CSRF protections are implemented or if the system is patched.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

CSRF attacks are well-understood and easy to weaponize. Exploitation requires an authenticated administrator session but the attacker themselves does not need authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.5.3

Vendor Advisory: https://forums.cubecart.com/topic/58736-cubecart-653-released-security-update/

Restart Required: No

Instructions:

1. Backup your CubeCart database and files. 2. Download CubeCart 6.5.3 from the official website. 3. Replace all files with the new version (except configuration files). 4. Run the upgrade script if prompted. 5. Clear browser cache and test functionality.

🔧 Temporary Workarounds

Implement CSRF Tokens

all

Add anti-CSRF tokens to all administrative forms and validate them on submission.

Requires custom code modification to CubeCart source files

SameSite Cookie Attribute

all

Configure session cookies with SameSite=Strict attribute to prevent CSRF attacks.

Modify PHP session configuration: session.cookie_samesite = "Strict"

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to detect and block CSRF patterns
  • Require re-authentication for sensitive administrative actions like data deletion

🔍 How to Verify

Check if Vulnerable:

Check CubeCart version in admin panel or examine /includes/global.inc.php for version number

Check Version:

grep -i 'version' /path/to/cubecart/includes/global.inc.php

Verify Fix Applied:

Verify version is 6.5.3 or higher in admin dashboard

📡 Detection & Monitoring

Log Indicators:

  • Multiple DELETE/POST requests from same IP to admin endpoints
  • Unusual data deletion patterns in admin logs

Network Indicators:

  • HTTP requests with missing or invalid referrer headers to admin endpoints
  • Requests with predictable CSRF patterns

SIEM Query:

source="cubecart_logs" AND (action="delete" OR method="POST") AND user_agent CONTAINS "malicious"

📊 Metadata

CVE ID: CVE-2023-38130
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
CWE: CWE-352
Published: November 17, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-38130, you might also want to check these:

CVE-2025-23922 10.0

A Cross-Site Request Forgery (CSRF) vulnerability in the Harsh iSpring Embedder WordPress plugin all...

Same vulnerability type (CWE-352)
CVE-2020-23426 9.8

CVE-2020-23426 is a privilege escalation vulnerability in zzcms 201910 that allows attackers to gain...

Same vulnerability type (CWE-352)
CVE-2024-33449 9.8

This SSRF vulnerability in PDFMyURL allows attackers to make the service send requests to internal s...

Same vulnerability type (CWE-352)