Description
The Cubecart::_basket method in classes/cubecart.class.php in CubeCart 5.0.0 through 5.2.0 allows remote attackers to unserialize arbitrary PHP objects via a crafted shipping parameter, as demonstrated by modifying the application configuration using the Config object.
Remediation
References
Related Vulnerabilities
WordPress Plugin WooCommerce Customers Manager Privilege Escalation (26.4)
Joomla! Core 3.2.x Cross-Site Scripting (3.2.0 - 3.2.4)
WordPress Plugin Contextual Adminbar Color Cross-Site Scripting (0.2)
WordPress Plugin Facebook for WooCommerce Cross-Site Request Forgery (1.9.14)
WordPress Plugin WPFront Scroll Top Cross-Site Scripting (2.0.6.07225)