CVE-2025-59413 | THREATINT

Description

CubeCart is an ecommerce software solution. Prior to version 6.5.11, a logic flaw exists in the newsletter subscription endpoint that allows an attacker to unsubscribe any user without their consent. By changing the value of the force_unsubscribe parameter in the POST request to 1, an attacker can force the removal of any valid subscriber’s email address. This issue has been patched in version 6.5.11.

PUBLISHED Reserved 2025-09-15 | Published 2025-09-22 | Updated 2025-09-22 | Assigner GitHub_M

MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Problem types

CWE-862: Missing Authorization

Product status

< 6.5.11

affected

References

github.com/...art/v6/security/advisories/GHSA-869v-gjv8-9m7f exploit

github.com/...art/v6/security/advisories/GHSA-869v-gjv8-9m7f

github.com/...ommit/7fd1cd04f5d5c3ce1d7980327464f0ff6551de79

github.com/...ommit/db965fcfa260c4f17eb16f8c5494e5af4a8ac271

github.com/...ommit/dbc58cf1f7a6291f7add5893b56bff7920a29128

cve.org (CVE-2025-59413)

nvd.nist.gov (CVE-2025-59413)

Download JSON