CVE-2024-1705 in Shopwindinfo

Summary

by MITRE • 02/21/2024

A vulnerability was found in Shopwind up to 4.6. It has been rated as critical. This issue affects the function actionCreate of the file /public/install/controllers/DefaultController.php of the component Installation. The manipulation leads to code injection. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The identifier VDB-254393 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 02/12/2025

The vulnerability identified as CVE-2024-1705 represents a critical code injection flaw within the Shopwind e-commerce platform version 4.6 and earlier. This security weakness resides in the installation component's DefaultController.php file, specifically within the actionCreate function, making it a prime target for malicious actors seeking to compromise systems running this software. The vulnerability's classification as critical stems from its potential to allow arbitrary code execution, which could result in complete system compromise and unauthorized access to sensitive data.

The technical nature of this flaw involves a code injection vulnerability that allows attackers to manipulate the actionCreate function through remote execution channels. This type of vulnerability falls under CWE-94, which specifically addresses "Improper Control of Generation of Code ('Code Injection')" and aligns with ATT&CK technique T1059.007 for "Command and Scripting Interpreter: Python" as the attack vector. The complexity required to exploit this vulnerability is noted as high, indicating that while the attack surface exists, successful exploitation demands significant technical expertise and resources. The vulnerability's remote exploitation capability means attackers can target systems without requiring physical access, significantly expanding the potential attack surface.

The operational impact of this vulnerability extends beyond simple data theft or system disruption, as code injection vulnerabilities can enable attackers to establish persistent backdoors, escalate privileges, and potentially move laterally within network environments. The fact that this vulnerability has been publicly disclosed and its exploit is known to be in circulation increases the immediate risk to affected organizations. The lack of vendor response to early disclosure attempts compounds the problem, leaving users without official patches or mitigation guidance during the critical period when the vulnerability is actively being exploited in the wild.

Organizations running Shopwind versions up to 4.6 should immediately implement emergency mitigations including network segmentation, firewall rule restrictions on installation endpoints, and monitoring for suspicious activity patterns. The recommended approach involves disabling or restricting access to the vulnerable DefaultController.php file through web server configuration, implementing input validation controls, and deploying web application firewalls to detect and block malicious payloads. Security teams should also conduct comprehensive vulnerability assessments to identify any potential compromise indicators and consider implementing runtime application self-protection measures to prevent exploitation attempts. The vulnerability's public disclosure status necessitates immediate action as the window for exploitation is likely already open in the broader threat landscape.

Responsible

VulDB

Reservation

02/21/2024

Disclosure

02/21/2024

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00594

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!