osCommerce , "a complete online store solution", exhibits a vulnerability which can be exploited by malicious people to conduct cross-site request forgery attacks.

This vulnerability allows users to perform certain actions via HTTP requests without performing any validation to verify the requests, including the ability to create additional administrator accounts by tricking an administrative user into visiting a malicious web site.

The vulnerability is confirmed in version 2.2 Release Candidate 2a. Other versions may also be affected.

References:

CVE-2009-0408

BID: pending

FrSIRT: N/A

Nessus:N/A

OSVDB: 51605

SA: 33446

XF: 48289

Vendor Solution: None available