Description

Zen Cart 1.3.8a, 1.3.8, and earlier does not require administrative authentication for admin/record_company.php, which allows remote attackers to execute arbitrary code by uploading a .php file via the record_company_image parameter in conjunction with a PATH_INFO of password_forgotten.php, then accessing this file via a direct request to the file in images/.

Remediation

References

CVE-2009-2255

Related Vulnerabilities

SugarCRM Incomplete List of Disallowed Inputs Vulnerability (CVE-2015-5946)

WordPress Plugin Multivendor Marketplace Solution for WooCommerce-WC Marketplace Unspecified Vulnerability (2.1.2)

WordPress Plugin iThemes Security (formerly Better WP Security) Cross-Site Scripting (3.5.3)

IBM RTC Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2018-1423)

Handlebars Loop with Unreachable Exit Condition ('Infinite Loop') Vulnerability (CVE-2019-20922)

Severity

Medium

Classification

CVE-2009-2255 CWE-287

Tags

Missing Update Known Vulnerabilities