CVE-2023-43149 – SPA-Cart 1.9.0.3 has a CSRF vulnerability that ... (How to Fix)

Q: What is the severity of CVE-2023-43149?

CVE-2023-43149 has a CVSS score of 8.8 (HIGH). SPA-Cart 1.9.0.3 has a CSRF vulnerability that allows attackers to create admin accounts with full privileges by tricking authenticated administrators into clicking malicious links. This affects all deployments using the vulnerable version without CSRF protections.

📋 TL;DR

SPA-Cart 1.9.0.3 has a CSRF vulnerability that allows attackers to create admin accounts with full privileges by tricking authenticated administrators into clicking malicious links. This affects all deployments using the vulnerable version without CSRF protections.

💻 Affected Systems

Products:

SPA-Cart

Versions: 1.9.0.3

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations with admin panel accessible and admin sessions active.

📦 What is this software?

Spa Cart by Spa Cart

View all CVEs affecting Spa Cart →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the e-commerce platform with attacker gaining full administrative control, allowing data theft, financial fraud, and website defacement.

🟠

Likely Case

Attackers create backdoor admin accounts to maintain persistent access, potentially leading to data exfiltration or further system compromise.

🟢

If Mitigated

With proper CSRF protections, the attack fails as requests require valid tokens, limiting impact to failed attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires social engineering to trick authenticated admin into clicking malicious link.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None known

Restart Required: No

Instructions:

No official patch available. Implement CSRF protections manually or upgrade if newer version exists.

🔧 Temporary Workarounds

Implement CSRF Tokens

all

Add CSRF token validation to all admin actions, especially user creation endpoints.

Restrict Admin Panel Access

all

Limit admin panel access to specific IP addresses or VPN-only connections.

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to detect and block CSRF attempts
Require re-authentication for sensitive admin actions like user creation

🔍 How to Verify

Check if Vulnerable:

Check if admin user creation endpoints lack CSRF token validation by inspecting form submissions.

Check Version:

Check SPA-Cart version in admin panel or configuration files.

Verify Fix Applied:

Test that admin user creation requests without valid CSRF tokens are rejected.

📡 Detection & Monitoring

Log Indicators:

Multiple admin user creation attempts from unusual IPs
Admin actions without referrer headers

Network Indicators:

POST requests to admin/user_create endpoints without CSRF tokens
Requests with mismatched referrer/origin headers

SIEM Query:

web_access_logs WHERE (uri CONTAINS 'admin' AND method = 'POST') AND (referrer IS NULL OR referrer NOT CONTAINS domain)

📊 Metadata

CVE ID: CVE-2023-43149

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

Published: October 12, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/MinoTauro2020/CVE-2023-43149 Exploit,Product,Third Party Advisory
https://github.com/MinoTauro2020/CVE-2023-43149 Exploit,Product,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-43149, you might also want to check these: