CVE-2025-50847 is a Cross Site Request Forgery (CSRF) vulnerability identified in CS Cart version 4.18.3. This vulnerability allows an attacker to add products to a user's comparison list by sending a specially crafted HTTP request without the user's consent or interaction. CSRF vulnerabilities exploit the trust that a web application places in the user's browser, enabling unauthorized commands to be transmitted from a user that the web application trusts. In this case, the attacker can manipulate the comparison list feature of CS Cart, an e-commerce platform, potentially altering the user's shopping experience or influencing product comparisons. The vulnerability does not require any authentication (PR:N) and can be exploited remotely over the network (AV:N) with low attack complexity (AC:L). No user interaction is needed (UI:N), and the scope is unchanged (S:U). The impact affects confidentiality and integrity to a limited extent (C:L, I:L) but does not affect availability (A:N). Although the vulnerability does not directly lead to data leakage or system compromise, it can be leveraged as part of a broader attack chain or to manipulate user behavior on e-commerce sites. There are no known exploits in the wild at the time of publication, and no patches have been linked yet. The vulnerability is classified under CWE-352, which corresponds to CSRF issues. The CVSS v3.1 base score is 6.5, indicating a medium severity level.

For European organizations using CS Cart 4.18.3, particularly e-commerce businesses, this vulnerability could undermine customer trust and the integrity of the shopping experience. Attackers could manipulate product comparison lists, potentially skewing customer decisions or promoting certain products unfairly. While the direct confidentiality and integrity impact is limited, the vulnerability could be exploited in combination with other attacks to perform phishing or social engineering campaigns, or to subtly influence purchasing behavior. This could lead to reputational damage, loss of customer confidence, and potential financial impact. Additionally, regulatory compliance under GDPR requires maintaining the integrity and security of customer data and interactions; exploitation of this vulnerability could be viewed as a failure to protect user interactions adequately. The lack of user interaction and authentication requirements increases the risk of automated exploitation attempts. However, since no known exploits are currently in the wild and the impact is limited to product comparison manipulation, the immediate risk is moderate but should not be ignored.

European organizations should prioritize the implementation of anti-CSRF tokens in all state-changing requests within CS Cart, including those that modify the product comparison list. Specifically, developers should ensure that all forms and AJAX requests include unique, unpredictable CSRF tokens validated on the server side. Additionally, organizations should monitor web application logs for unusual or repetitive requests that modify comparison lists without corresponding user actions. Employing Content Security Policy (CSP) headers can help mitigate some CSRF attack vectors by restricting the sources of executable scripts. Organizations should also consider implementing SameSite cookie attributes to prevent cookies from being sent with cross-site requests. Until an official patch is released, applying web application firewall (WAF) rules to detect and block suspicious CSRF attempts targeting the comparison list functionality can provide a temporary defense. Regular security testing and code reviews focusing on CSRF protections are recommended to prevent similar vulnerabilities. Finally, educating users about the risks of interacting with untrusted websites can help reduce the impact of CSRF attacks.