CubeCart Newsletter Unsubscription Vulnerability Allowing Unauthorized User Removal

A logic flaw has been identified in CubeCart versions prior to 6.5.11, specifically within the newsletter subscription endpoint. This vulnerability allows an attacker to unsubscribe any user without their consent. By manipulating the 'force_unsubscribe' parameter in the POST request, an attacker can forcibly remove a valid subscriber's email address. The issue has been patched in version 6.5.11.

Impact

Exploitation of this vulnerability allows for unauthorized unsubscription of users from newsletters, potentially leading to missed communications and violation of consent regulations.

Reproduction

To reproduce this vulnerability, subscribe to the newsletter with a valid email address. Then, intercept the POST request to the newsletter subscription endpoint. Change the 'force_unsubscribe' parameter from 0 to 1 and resend the request. The targeted email address will be unsubscribed without confirmation.

Remediation

Users can update to CubeCart version 6.5.11 or later to address this vulnerability.