제출 #845908: kirilkirkov Ecommerce-CodeIgniter-Bootstrap master Deserialization정보

제목kirilkirkov Ecommerce-CodeIgniter-Bootstrap master Deserialization
설명## Description Ecommerce-CodeIgniter-Bootstrap contains an unsafe deserialization vulnerability in shopping cart cookie handling. The application reads the attacker-controlled `shopping_cart` cookie and passes it directly to PHP `unserialize()` without validating the serialized type or enforcing an expected safe structure. An unauthenticated attacker can supply crafted serialized data that breaks the shopping cart flow and triggers an application-level denial of service. In the verified environment, the crafted cookie caused an HTTP 500 response and verbose error output that disclosed internal paths and implementation details. ## Technical Details - Affected component: `application/libraries/ShoppingCart.php` - Vulnerable function: `getCartItems()` - Vulnerable sink: `unserialize(get_cookie('shopping_cart'))` - Trigger path: `/index.php/shopping-cart` - Weakness: `CWE-502` - CVSS v3.1: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H` - Severity: `High` - Published: `2026-05-20` - Patched version / fix commit: `49b20f53de2b7ec34e920b11c863f1491d911a04` - GitHub Security Advisory: https://github.com/kirilkirkov/Ecommerce-CodeIgniter-Bootstrap/security/advisories/GHSA-9g5q-g6m3-v5cr - Vendor fix: https://github.com/kirilkirkov/Ecommerce-CodeIgniter-Bootstrap/commit/49b20f53de2b7ec34e920b11c863f1491d911a04
원천⚠️ https://github.com/kirilkirkov/Ecommerce-CodeIgniter-Bootstrap/security/advisories/GHSA-9g5q-g6m3-v5cr
사용자
 Anonymous User
제출2026. 06. 02. AM 10:14 (1 월 ago)
모더레이션2026. 07. 03. PM 07:25 (1 month later)
상태수락
VulDB 항목376152 [kirilkirkov Ecommerce-CodeIgniter-Bootstrap 까지 13fd582aaf49aeab7438acc0fc3eb973a1f5e6a7 ShoppingCart.php getCartItems shopping_cart 권한 상승]
포인트들20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!