Key Information Vulnerability Details CVE ID: CVE-2025-50849 Product: CS-Cart Affected Versions: 4.18.3 Vulnerability Type: Insecure Direct Object Reference (IDOR) Attack Vector: Remote Impact: Privilege Escalation / Unauthorized Operations Reporter: Abdul Wahab, DTS Solutions Status: Reserved Summary CS-Cart 4.18.3 contains an Insecure Direct Object Reference (IDOR) vulnerability in the vendor sticker management feature. The endpoint for enabling or disabling stickers accepts a parameter, but does not verify whether the user is authorized to perform operations on the specified company. Affected Component Impact Any authenticated vendor or low-privileged user can change the sticker status for other vendors. Leads to unauthorized operations, affecting other vendors' settings or branding. Can be combined with enumeration or business logic flaws to cause greater impact. Proof of Concept (PoC) Technical PoC is reserved to prevent exploitation. It will be provided under the following conditions: Upon request After the vendor releases a fix Mitigation Implement proper access controls on sensitive endpoints. Validate ownership of on the server side before processing any changes. Do not rely on client-side filtering for authorization decisions. References CVE Record: CVE-2025-50849 Vendor: https://www.cs-cart.com