CVE-2025-50849

CS Cart 4.18.3 is vulnerable to Insecure Direct Object Reference (IDOR). The user profile functionality allows enabling or disabling stickers through a parameter (company_id) sent in the request. However, this operation is not properly validated on the server side. An authenticated user can manipulate the request to target other users' accounts and toggle the sticker setting by modifying the company_id or other object identifiers.

CVSS v3 8.0 HIGH

8.0^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
http://cs.com
https://github.com/hackerwahab/CS-Cart-Vulns/blob/main/CVE-2025-50849.md

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) CS Cart 4.18.3 es vulnerable a la Referencia Directa a Objetos Insegura (IDOR). La función de perfil de usuario permite habilitar o deshabilitar stickers mediante un parámetro (company_id) enviado en la solicitud. Sin embargo, esta operación no se valida correctamente en el servidor. Un usuario autenticado puede manipular la solicitud para afectar las cuentas de otros usuarios y activar o desactivar la configuración de stickers modificando el company_id u otros identificadores de objeto.

31 Jul 2025, 16:15

Type	Values Removed	Values Added
CWE		CWE-639
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.0

31 Jul 2025, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-31 15:15

Updated : 2026-04-15 00:35

NVD link : CVE-2025-50849

Mitre link : CVE-2025-50849

CVE.ORG link : CVE-2025-50849

JSON object : View

Products Affected

No product.

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

8.0 /10