Submit #280001: Shopwind Shopwind <=4.6 Configuration injectioninfo

TitelShopwind Shopwind <=4.6 Configuration injection
BeschreibungThe Shopwind software, specifically version ≤4.6, has a critical configuration injection vulnerability within the "DefaultController.php" file. This vulnerability allows an attacker to manipulate database creation parameters during the installation process, leading to arbitrary code execution. The issue arises because the software only verifies the referer without validating the install.lock. As a result, an attacker can create a malicious database on their own server, then run a POST request to reinstall the software using this database information, effectively injecting their own code into the "config.php" file. This vulnerability enables remote code execution, posing a significant security risk.
Quelle⚠️ https://note.zhaoj.in/share/QHdXavkw5eDm
Benutzer
 glzjin (UID 59815)
Einreichung09.02.2024 16:32 (vor 2 Jahren)
Moderieren21.02.2024 11:43 (12 days later)
StatusAkzeptiert
VulDB Eintrag254393 [Shopwind bis 4.6 Installation DefaultController.php actionCreate erweiterte Rechte]
Punkte20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!