CVE-2025-50850 - Vulnerability Details - OpenCVE

An issue was discovered in CS Cart 4.18.3 allows the vendor login functionality lacks essential security controls such as CAPTCHA verification and rate limiting. This allows an attacker to systematically attempt various combinations of usernames and passwords (brute-force attack) to gain unauthorized access to vendor accounts. The absence of any blocking mechanism makes the login endpoint susceptible to automated attacks.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Cs-cart	Cs-cart

Configuration 1 [-]

cpe:2.3:a:cs-cart:cs-cart:4.18.3:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://cs.com
https://github.com/hackerwahab/CS-Cart-Vulns/blob/main/CVE-2025-50850.md

History

Wed, 06 Aug 2025 16:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:cs-cart:cs-cart:4.18.3:::::::*

Thu, 31 Jul 2025 20:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-284 CWE-804
Metrics		cvssV3_1 `{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H'}`

Thu, 31 Jul 2025 19:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Cs-cart Cs-cart cs-cart
Vendors & Products		Cs-cart Cs-cart cs-cart

Thu, 31 Jul 2025 16:00:00 +0000

Type	Values Removed	Values Added
Description		An issue was discovered in CS Cart 4.18.3 allows the vendor login functionality lacks essential security controls such as CAPTCHA verification and rate limiting. This allows an attacker to systematically attempt various combinations of usernames and passwords (brute-force attack) to gain unauthorized access to vendor accounts. The absence of any blocking mechanism makes the login endpoint susceptible to automated attacks.
References		http://cs.com https://github.com/hackerwahab/CS-Cart-Vulns/blob/main/CVE-2025-50850.md

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2025-07-31T00:00:00.000Z

Updated: 2025-07-31T19:57:19.017Z

Reserved: 2025-06-16T00:00:00.000Z

Link: CVE-2025-50850

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2025-07-31T16:15:31.163

Modified: 2025-08-06T16:34:48.977

Link: CVE-2025-50850

Redhat

No data.

{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-50850", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-07-31T19:57:19.017Z", "dateReserved": "2025-06-16T00:00:00.000Z", "datePublished": "2025-07-31T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-07-31T15:39:52.563Z"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in CS Cart 4.18.3 allows the vendor login functionality lacks essential security controls such as CAPTCHA verification and rate limiting. This allows an attacker to systematically attempt various combinations of usernames and passwords (brute-force attack) to gain unauthorized access to vendor accounts. The absence of any blocking mechanism makes the login endpoint susceptible to automated attacks."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "http://cs.com"}, {"url": "https://github.com/hackerwahab/CS-Cart-Vulns/blob/main/CVE-2025-50850.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-284", "lang": "en", "description": "CWE-284 Improper Access Control"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-804", "lang": "en", "description": "CWE-804 Guessable CAPTCHA"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-07-31T19:51:44.917545Z", "id": "CVE-2025-50850", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-31T19:57:19.017Z"}}]}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cs-cart:cs-cart:4.18.3:*:*:*:*:*:*:*", "matchCriteriaId": "697E87F8-685B-468D-8876-535E807BA897", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in CS Cart 4.18.3 allows the vendor login functionality lacks essential security controls such as CAPTCHA verification and rate limiting. This allows an attacker to systematically attempt various combinations of usernames and passwords (brute-force attack) to gain unauthorized access to vendor accounts. The absence of any blocking mechanism makes the login endpoint susceptible to automated attacks."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en CS Cart 4.18.3 que permite que la funci\u00f3n de inicio de sesi\u00f3n del proveedor carezca de controles de seguridad esenciales, como la verificaci\u00f3n CAPTCHA y la limitaci\u00f3n de velocidad. Esto permite que un atacante intente sistem\u00e1ticamente diversas combinaciones de nombres de usuario y contrase\u00f1as (ataque de fuerza bruta) para obtener acceso no autorizado a las cuentas del proveedor. La ausencia de cualquier mecanismo de bloqueo hace que el endpoint de inicio de sesi\u00f3n sea vulnerable a ataques automatizados."}], "id": "CVE-2025-50850", "lastModified": "2025-08-06T16:34:48.977", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-07-31T16:15:31.163", "references": [{"source": "cve@mitre.org", "tags": ["Not Applicable"], "url": "http://cs.com"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/hackerwahab/CS-Cart-Vulns/blob/main/CVE-2025-50850.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-804"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}