Unrated severityNVD Advisory· Published Sep 28, 2015· Updated May 6, 2026

CVE-2015-6928

Description

classes/admin.class.php in CubeCart 5.2.12 through 5.2.16 and 6.x before 6.0.7 does not properly validate that a password reset request was made, which allows remote attackers to change the administrator password via a recovery request with a space character in the validate parameter and the administrator email in the email parameter.

Affected products

Cubecart/Cubecart11 versions
cpe:2.3:a:cubecart:cubecart:5.2.12:*:*:*:*:*:*:*+ 10 more
- cpe:2.3:a:cubecart:cubecart:5.2.12:*:*:*:*:*:*:*
- cpe:2.3:a:cubecart:cubecart:5.2.13:*:*:*:*:*:*:*
- cpe:2.3:a:cubecart:cubecart:5.2.14:*:*:*:*:*:*:*
- cpe:2.3:a:cubecart:cubecart:5.2.15:*:*:*:*:*:*:*
- cpe:2.3:a:cubecart:cubecart:6.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:cubecart:cubecart:6.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:cubecart:cubecart:6.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:cubecart:cubecart:6.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:cubecart:cubecart:6.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:cubecart:cubecart:6.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:cubecart:cubecart:6.0.6:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

forums.cubecart.com/topic/50277-critical-security-issue-admin-account-hijack/nvdPatchVendor Advisory
packetstormsecurity.com/files/133535/CubeCart-6.0.6-Administrative-Bypass.htmlnvdExploit
seclists.org/fulldisclosure/2015/Sep/40nvdExploit
www.securitytracker.com/id/1034015nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000