CVE-2017-11675

Name of the Vulnerable Software and Affected Versions ZenCart version 1.5.5e

Description The issue arises from the traverseStrictSanitize function in admin dir/includes/classes/AdminRequestSanitizer.php, which mishandles key strings. This allows remote authenticated users to execute arbitrary PHP code by placing that code into an invalid array index of the admin name array parameter to admin dir/login.php, if there is an export of an error-log entry for that invalid array index.

Recommendations For ZenCart version 1.5.5e, consider disabling the traverseStrictSanitize function until a patch is available, or restrict access to the admin dir/login.php endpoint to minimize the risk of exploitation. Avoid using the admin name array parameter in the affected endpoint until the issue is resolved.