Description

Zen Cart 1.3.8a, 1.3.8, and earlier does not require administrative authentication for admin/record_company.php, which allows remote attackers to execute arbitrary code by uploading a .php file via the record_company_image parameter in conjunction with a PATH_INFO of password_forgotten.php, then accessing this file via a direct request to the file in images/.

Remediation

References

CVE-2009-2255

Related Vulnerabilities

WordPress Plugin Websimon Tables Cross-Site Scripting (1.3.4)

RubyGems Cryptographic Issues Vulnerability (CVE-2013-4363)

IBM RTC Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2017-1753)

phpList CVE-2017-20031 Vulnerability (CVE-2017-20031)

MyBB Improper Access Control Vulnerability (CVE-2016-9413)

Severity

Medium

Classification

CVE-2009-2255 CWE-287

Tags

Missing Update Known Vulnerabilities