CVE-2013-0118 Information

Description

CS-Cart before 3.0.6 when PayPal Standard Payments is configured allows remote attackers to set the payment recipient via a modified value of the merchant’s e-mail address as demonstrated by setting the recipient to one’s self.

Reference

http://www.kb.cert.org/vuls/id/583564 http://www.kb.cert.org/vuls/id/BLUU-949PQL