CVE-2012-5907

Name of the Vulnerable Software and Affected Versions TomatoCart version 1.2.0 Alpha 2 and possibly earlier

Description The issue allows remote attackers to read arbitrary files due to a directory traversal vulnerability in the json.php file. This is achieved by using a .. (dot dot) in the module parameter in a "3" action.

Recommendations For TomatoCart version 1.2.0 Alpha 2 and possibly earlier, consider restricting access to the json.php file or the module parameter to minimize the risk of exploitation. As a temporary workaround, avoid using the module parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.