CVE-2020-9009

low-risk
Published 2023-04-11

The ShipStation.com plugin 1.1 and earlier for CS-Cart allows remote attackers to insert arbitrary information into the database (via action=shipnotify) because access to this endpoint is completely unchecked. The attacker must guess an order number.

Do I need to act?

-
0.27% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
3
CVSS 3.7/10 Low
NETWORK / HIGH complexity

Affected Products (1)

Shipstation

Affected Vendors

Shipstation

References (4)

Not Applicable https://help.shipstation.com/hc/en-us/articles/360025855352-CS-Cart
Exploit https://www.jerdiggity.com/node/870
Not Applicable https://help.shipstation.com/hc/en-us/articles/360025855352-CS-Cart
Exploit https://www.jerdiggity.com/node/870
19
/ 100
low-risk
Severity 13/34 · Low
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal