CVE-2023-43148
Description
SPA-Cart 1.9.0.3 has a Cross Site Request Forgery (CSRF) vulnerability that allows a remote attacker to delete all accounts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: = 1.9.0.3
Patches
Vulnerability mechanics
Root cause
"The application is vulnerable to Cross-Site Request Forgery (CSRF) because it does not properly validate requests to delete user accounts."
Attack vector
A remote attacker can exploit this vulnerability by tricking a logged-in administrator into clicking a crafted HTML link or opening a malicious file [ref_id=1]. This link or file contains a form that, when submitted, sends a request to the server to delete all accounts. The vulnerability occurs because the application does not verify if the request originates from a legitimate user action within the application's interface [ref_id=1].
Affected code
The vulnerability affects SPA-Cart version 1.9.0.3. Specifically, the user account deletion functionality, accessible via the `/admin/users/search` endpoint, is susceptible to CSRF attacks [ref_id=1].
What the fix does
The advisory does not provide details on a specific patch or fix. However, to remediate CSRF vulnerabilities, applications should implement anti-CSRF tokens or ensure that sensitive actions are protected by strong authentication mechanisms that cannot be easily forged by external requests.
Preconditions
- authThe victim must be logged in as an administrator.
Reproduction
1. Create an HTML file containing the provided Proof of Concept (PoC) code. 2. Host this HTML file. 3. Trick an administrator into visiting the hosted HTML file. 4. The script will automatically submit the form, triggering the deletion of all accounts [ref_id=1].
Generated on Jun 6, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
News mentions
0No linked articles in our index yet.