{"id":"CVE-2025-59413","summary":"CubeCart Unauthorized Newsletter Unsubscription via force_unsubscribe Parameter","details":"CubeCart is an ecommerce software solution. Prior to version 6.5.11, a logic flaw exists in the newsletter subscription endpoint that allows an attacker to unsubscribe any user without their consent. By changing the value of the force_unsubscribe parameter in the POST request to 1, an attacker can force the removal of any valid subscriber’s email address. This issue has been patched in version 6.5.11.","aliases":["GHSA-869v-gjv8-9m7f"],"modified":"2026-04-10T05:32:02.301014Z","published":"2025-09-22T16:15:00.351Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-862"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/59xxx/CVE-2025-59413.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/59xxx/CVE-2025-59413.json"},{"type":"ADVISORY","url":"https://github.com/cubecart/v6/security/advisories/GHSA-869v-gjv8-9m7f"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-59413"},{"type":"FIX","url":"https://github.com/cubecart/v6/commit/7fd1cd04f5d5c3ce1d7980327464f0ff6551de79"},{"type":"FIX","url":"https://github.com/cubecart/v6/commit/db965fcfa260c4f17eb16f8c5494e5af4a8ac271"},{"type":"FIX","url":"https://github.com/cubecart/v6/commit/dbc58cf1f7a6291f7add5893b56bff7920a29128"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/cubecart/v6","events":[{"introduced":"0"},{"fixed":"a7a0d71e5ae979f2a13e8b4cde591c040f1109e4"}]}],"versions":["2.6.7","6.0.0","6.0.0b1","6.0.0b2","6.0.0b3","6.0.0b4","6.0.0b5","6.0.0b6","6.0.0b7","6.0.1","6.0.10","6.0.11","6.0.12","6.0.2","6.0.3","6.0.4","6.0.5","6.0.6","6.0.8","6.0.9","6.1.0","6.1.1","6.1.10","6.1.11pr","6.1.2","6.1.3","6.1.4","6.1.5","6.1.6","6.1.7","6.1.8","6.1.9","6.2.0","6.2.0-b1","6.2.0-rc1","6.2.0-rc2","6.2.1","6.2.2","6.2.3","6.2.4","6.2.5","6.2.6","6.2.8","6.2.9","6.4.0","6.4.0-b1","6.4.0-b2","6.4.1","6.4.10","6.4.2","6.4.3","6.4.4","6.4.5","6.4.6","6.4.7","6.4.8","6.4.9","6.5.0","6.5.1","6.5.10","6.5.2","6.5.3","6.5.4","6.5.5","6.5.6","6.5.8","6.5.9","v2.6.7","v6.0.0","v6.0.0b1","v6.0.0b2","v6.0.0b3","v6.0.0b4","v6.0.0b5","v6.0.0b6","v6.0.0b7","v6.0.1","v6.0.10","v6.0.11","v6.0.12","v6.0.2","v6.0.3","v6.0.4","v6.0.5","v6.0.6","v6.0.8","v6.0.9","v6.1.0","v6.1.1","v6.1.10","v6.1.2","v6.1.3","v6.1.4","v6.1.5","v6.1.6","v6.1.7","v6.1.8","v6.1.9","v6.2.0","v6.2.0-b1","v6.2.0-rc1","v6.2.0-rc2","v6.2.1","v6.2.2","v6.2.3","v6.2.4","v6.2.5","v6.2.6","v6.2.8","v6.2.9","v6.4.0","v6.4.0-b1","v6.4.0-b2","v6.4.1","v6.4.10","v6.4.2","v6.4.3","v6.4.4","v6.4.5","v6.4.6","v6.4.7","v6.4.8","v6.4.9","v6.5.0","v6.5.1","v6.5.10","v6.5.2","v6.5.3","v6.5.4","v6.5.5","v6.5.6","v6.5.8","v6.5.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59413.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"}]}