CS-Cart Insecure Direct Object Reference Vulnerability in Sticker Management

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in CS-Cart version 4.18.3. This issue arises in the vendor sticker management feature, where the endpoint for toggling sticker statuses accepts a 'company_id' parameter without proper server-side validation. As a result, an authenticated user can manipulate the request to change sticker settings for other users' accounts by altering the 'company_id' or other object identifiers.

Impact

This vulnerability allows any authenticated vendor or lower-privileged user to change the sticker status for other vendors, leading to unauthorized modifications of their settings or branding. It could also be exploited in conjunction with enumeration or business logic flaws for greater effect.

Remediation

To address this vulnerability, implement proper access controls on sensitive endpoints and validate ownership of the 'company_id' parameter on the server side before processing any changes. Avoid relying on client-side filters for authorization decisions.