Description
Zen Cart 1.3.8a, 1.3.8, and earlier does not require administrative authentication for admin/record_company.php, which allows remote attackers to execute arbitrary code by uploading a .php file via the record_company_image parameter in conjunction with a PATH_INFO of password_forgotten.php, then accessing this file via a direct request to the file in images/.
Remediation
References
Related Vulnerabilities
Moodle Permissions, Privileges, and Access Controls Vulnerability (CVE-2013-2079)
WordPress Plugin Essential Content Types Security Bypass (1.8.6)
WordPress Plugin WP Canvas-Shortcodes Cross-Site Scripting (2.06)
Apache Tomcat Uncontrolled Resource Consumption Vulnerability (CVE-2019-0199)
WordPress Plugin Aspose Cloud eBook Generator Arbitrary File Download (1.0)