CubeCart 6.1.12 – Admin Authentication Bypass

I Forgot My Password! Both vulnerabilities are exploitable through CubeCarts “I forgot my Password!” functionality. It is implemented in the file classes/cubecart.class.php, in the method _recovery(). When a user forgot his password, he can use this feature to enter his email address, a valid password reset token he received via email, and his new password for reset.
classes/cubecart.class.php 2761 2762 2763 2764 2765 2766 2767 2768 private function _recovery() { if (isset($_POST[’email’]) && isset($_POST[‘validate’]) && isset($_POST[‘password’])) { $GLOBALS[‘user’]->passwordReset($_POST[’email’], $_POST[‘validate’], $_POST[‘password’]); }