2013-02-24 11:00:00
certcc
PUBLISHED
CS-Cart before 3.0.6, when PayPal Standard Payments is configured, allows remote attackers to set the payment recipient via a modified value of the merchants e-mail address, as demonstrated by setting the recipient to ones self.