CVE-2026-23797

In Quick.Cart user passwords are stored in plaintext form. An attacker with high privileges can display users' password in user editing page. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

CVSS v3 4.9 MEDIUM

4.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://cert.pl/posts/2026/02/CVE-2026-23796	Third Party Advisory
https://opensolution.org/sklep-internetowy-quick-cart.html	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:opensolution:quick.cart:6.7:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-05 12:16

Updated : 2026-02-19 18:30

NVD link : CVE-2026-23797

Mitre link : CVE-2026-23797

CVE.ORG link : CVE-2026-23797

JSON object : View

Products Affected

opensolution

quick.cart

CWE

CWE-256

Plaintext Storage of a Password

{"id": "CVE-2026-23797", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.2}], "cvssMetricV40": [{"type": "Secondary", "source": "cvd@cert.pl", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-05T12:16:01.897", "references": [{"url": "https://cert.pl/posts/2026/02/CVE-2026-23796", "tags": ["Third Party Advisory"], "source": "cvd@cert.pl"}, {"url": "https://opensolution.org/sklep-internetowy-quick-cart.html", "tags": ["Product"], "source": "cvd@cert.pl"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "cvd@cert.pl", "description": [{"lang": "en", "value": "CWE-256"}]}], "descriptions": [{"lang": "en", "value": "In Quick.Cart user passwords are stored in plaintext form. An attacker with high privileges can display users' password in user editing page.\n\nThe vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable."}, {"lang": "es", "value": "En Quick.Cart, las contrase\u00f1as de usuario se almacenan en formato de texto plano. Un atacante con privilegios elevados puede mostrar las contrase\u00f1as de los usuarios en la p\u00e1gina de edici\u00f3n de usuarios.\n\nEl proveedor fue notificado tempranamente sobre esta vulnerabilidad, pero no respondi\u00f3 con los detalles de la vulnerabilidad o el rango de versiones vulnerables. Solo la versi\u00f3n 6.7 fue probada y confirmada como vulnerable; otras versiones no fueron probadas y tambi\u00e9n podr\u00edan ser vulnerables."}], "lastModified": "2026-02-19T18:30:15.370", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:opensolution:quick.cart:6.7:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0544991D-06F2-4207-BAA0-5045BC483E61"}], "operator": "OR"}]}], "sourceIdentifier": "cvd@cert.pl"}