Get a demo
100% Signal 0% Noise Invicti Logo - The Largest Dynamic Application Security Solutions Provider In The World Get a demo
osCommerce Improper Control of Generation of Code (Code Injection) Vulnerability - CVE-2018-18573 - Vulnerability Database
osCommerce

osCommerce Improper Control of Generation of Code (Code Injection) Vulnerability - CVE-2018-18573

High
Reference: CVE-2018-18573
NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2018-18573
Title: osCommerce Improper Control of Generation of Code (Code Injection) Vulnerability
Overview:

osCommerce 2.3.4.1 has an incomplete 39.htaccess39 for blacklist filtering in the quotproductquot page. Remote authenticated administrators can upload new 39.htaccess39 files (e.g. omitting .php) and subsequently achieve arbitrary PHP code execution via a /catalog/admin/categories.phpcPathampactionnew_product URI.