Full Report
CERT Polska has received a report about 2 vulnerabilities (CVE-2026-23796 and CVE-2026-23797) found in Quick.Cart software.
Analysis Summary
As a vulnerability research specialist, here is the required summary of the reported flaws in Quick.Cart software.
***
# Vulnerability: Quick.Cart Session Fixation and Plaintext Password Storage
## CVE Details
- **CVE ID:** CVE-2026-23796
- **CVSS Score:** *Not provided in source* (Severity unknown)
- **CWE:** CWE-384 (Session Fixation)
- **CVE ID:** CVE-2026-23797
- **CVSS Score:** *Not provided in source* (Severity unknown)
- **CWE:** CWE-256 (Plaintext Storage of a Password)
## Affected Systems
- **Products:** Quick.Cart (Vendor: OpenSolution)
- **Versions:** 6.7 (Only 6.7 confirmed vulnerable; other versions might be affected)
- **Configurations:** Not specified, likely standard installations.
## Vulnerability Description
**CVE-2026-23796 (Session Fixation):** The software allows a user's session identifier to be set *before* successful authentication. Crucially, this session ID value remains unchanged *after* authentication. This permits an attacker to pre-establish a session ID for a target victim and subsequently hijack that victim's authenticated session.
**CVE-2026-23797 (Plaintext Password Storage):** User passwords are stored in plaintext format within Quick.Cart. An attacker possessing high-level privileges can view the cleartext passwords of other users on the user editing page.
## Exploitation
- **Status:** Information suggests disclosure only; exploitation status (in the wild/PoC) is **Unknown**.
- **Complexity:**
- CVE-2026-23796: Likely **Medium** (requires controlling the attacker's ability to set a pre-auth session ID and tricking the victim to use it).
- CVE-2026-23797: Requires **Local/High Privileges** to view passwords.
- **Attack Vector:**
- CVE-2026-23796: Likely **Network** (via manipulative session ID assignment).
- CVE-2026-23797: **Local/Privilege-based** (requires existing high-level access).
## Impact
*Confidentiality, Integrity, and Availability impacts depend on which vulnerability is exploited.*
| Impact | CVE-2026-23796 (Session Fixation) | CVE-2026-23797 (Plaintext Passwords) |
| :--- | :--- | :--- |
| **Confidentiality** | High (If authenticated session grants access to sensitive data) | High (User credentials exposed) |
| **Integrity** | High (Attacker can perform actions as the victim) | Low/Medium (Direct integrity impact relies on subsequent misuse of exposed credentials) |
| **Availability** | Low | Low |
## Remediation
### Patches
- The article notes that the vendor was notified but did not respond with patch information or a confirmed vulnerable version range. **No official patch version is listed.**
### Workarounds
- **Mitigation for CVE-2026-23796:** Immediately terminate any session where the ID remains consistent across unauthenticated/authenticated states. Enforce strict session regeneration upon successful login.
- **Mitigation for CVE-2026-23797:** Restrict administrative access (high privileges) to the system to the absolute minimum necessary personnel.
## Detection
- **Indicators of Compromise:**
- Unusual session activity following login.
- Unauthorized access attempts or actions logged under legitimate user accounts.
- **Detection methods and tools:**
- Reviewing application logs for session ID reuse patterns across login events.
- Direct database/configuration file inspection (for forensics) to confirm plaintext password storage.
## References
- Vendor advisories: **None provided** (Vendor failed to respond as of report date).
- Relevant links - defanged:
- https://incydent.cert.pl/#!/lang=en
- https://cert.pl/en/cvd/