CVE-2025-50847: Cross Site Request Forgery (CSRF) vulnerability in CS Cart 4.18.3, allows attackers to add products to a us...
Cross Site Request Forgery (CSRF) vulnerability in CS Cart 4.18.3, allows attackers to add products to a user's comparison list via a crafted HTTP request.
Security readout for executives and security teams
Plain-English summary
CVE-2025-50847 is a medium-severity CSRF issue reported in CS Cart 4.18.3. A malicious site could cause a user’s browser to send an unwanted request that adds products to that user’s comparison list. The known impact is limited, but it indicates missing or insufficient request-forgery protection on a state-changing action.
Executive priority
Treat this as a moderate web-application hygiene issue. It does not indicate system compromise or payment-data exposure from the provided sources, but public CS Cart 4.18.3 stores should be checked and patched according to vendor guidance.
Technical view
The CVE describes CWE-352 in CS Cart 4.18.3, where a crafted HTTP request can alter a user-specific comparison list. The CVSS 3.1 score is 6.5, with low attack complexity and low confidentiality and integrity impact. The CVE affected-product metadata is incomplete, listing vendor and product as n/a.
Likely exposure
Organizations running CS Cart 4.18.3 are the only clearly named exposure group in the provided sources. Broader version impact is not established because the CVE record does not provide vendor, product, CPE, or version-range details.
Exploitation context
The source bundle does not show CISA KEV listing or active exploitation evidence. Public disclosure exists through the CVE record and a GitHub reference, but the provided material only supports the described comparison-list manipulation impact.
Researcher notes
Evidence is incomplete. The CVE names CS Cart 4.18.3, but affected-product fields are n/a and no official fix is cited in the bundle. The CVSS vector lists UI:N, which is unusual for CSRF; validate behavior carefully before drawing exposure conclusions.
Mitigation direction
Identify whether any public storefronts run CS Cart 4.18.3.
Check CS Cart vendor guidance for a fixed version or official workaround.
Apply vendor updates when an official fix is available.
Verify CSRF protections on comparison-list state changes.
Use SameSite cookies and anti-CSRF tokens where supported.
Validation and detection
Inventory CS Cart versions across production, staging, and development stores.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-352: User-session and phishing behavior lookup
Client-side and session-facing weaknesses should be reviewed alongside initial-access and user-execution behaviors. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-352 · source CWE mapping
Cross-Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF) represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.