← Voltar para CVEs
CVE-2018-18572
N/ADescricao
osCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filtering in the "product" page. Because of this filter, script files with certain PHP-related extensions (such as .phtml and .php5) didn't execute in the application. But this filter didn't prevent the '.pht' extension. Thus, remote authenticated administrators can upload '.pht' files for arbitrary PHP code execution via a /catalog/admin/categories.php?cPath=&action=new_product URI.
Detalhes CVE
Pontuacao CVSS v3.1N/A
Publicado8/22/2019
Ultima modificacao11/21/2024
Fontenvd
Avistamentos honeypot0
Produtos afetados
oscommerce:oscommerce
Fraquezas (CWE)
CWE-434
Referencias
https://github.com/osCommerce/oscommerce2/issues/631(cve@mitre.org)
https://github.com/osCommerce/oscommerce2/issues/631(af854a3a-2127-422b-91ae-364da2661108)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.