CVE-2020-21120

Name of the Vulnerable Software and Affected Versions UQCMS version 2.1.3

Description The issue allows attackers to execute arbitrary commands via the cookie cart parameter to the "/index.php/cart/num" API endpoint. This is due to a SQL Injection vulnerability in the file homecontrolscart.class.php.

Recommendations For UQCMS version 2.1.3, consider disabling access to the "/index.php/cart/num" API endpoint until a patch is available. Additionally, restrict the use of the cookie cart parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.