CVE-2018-11494

Name of the Vulnerable Software and Affected Versions OpenCart versions through 3.0.2.0

Description The issue concerns the "program extension upload" feature, which has a six-step process. Attackers can execute arbitrary code if the remove step is skipped, allowing them to discover a secret temporary directory name via a directory traversal attack involving the language info['code'] variable.

Recommendations For OpenCart versions through 3.0.2.0, consider disabling the "program extension upload" feature until a patch is available to prevent the execution of arbitrary code. Restrict access to the directory traversal functionality to minimize the risk of exploitation. Avoid using the language info['code'] variable in sensitive operations until the issue is resolved.